Pattern: MCP Tool Output Is Untrusted Input — Treat It Like User Data
Cloud Security Alliance·medium signal
Agentjacking generalizes a rule builders should internalize: any data an agent pulls through an MCP tool — error reports, tickets, search results, web pages — is untrusted input, not trusted system output. The defensive pattern is to treat MCP responses like user input: never let an agent execute instructions embedded in tool output, scope tool credentials tightly, and gate irreversible actions behind explicit approval rather than prompt text.