Skills
Layer prompt-injection defenses at five distinct chokepoints and treat every MCP/tool output as untrusted input
The 2026 consensus is that no single filter stops injection, so effective defense stacks five independent layers — input-side detection before the model, incremental (per-operation) scope consent instead of blanket server access, and running every retrieved document, tool result, and MCP response through the same injection screening you apply to user messages. Because tool poisoning hides instructions in metadata the user never sees, builders should default to distrusting tool metadata specifically, not just tool payloads.
Source
↳ Follow the thread