Pattern: MCP-Relayed Third-Party Content Is Now a First-Class Prompt-Injection Surface
Cloud Security Alliance·high signal
The Agentjacking research generalizes beyond Sentry: any MCP server that relays attacker-influenceable content — error trackers, issue trackers, PR comments, browser DOMs — can smuggle instructions into an agent's context and drive tool execution. The emerging discipline treats every MCP tool output as untrusted input requiring the same scrutiny as user input, not as trusted diagnostics.