"The curse of prompt injection continues to be that we’ve known about the issue for more than two and a half years and we still don’t have convincing mitigations for handling it.
I’m still excited about tool usage—it’s the next big feature I plan to add to my own LLM project—but I have no idea how to make it universally safe.
If you’re using or building on top of MCP, please think very carefully about these issues:
Clients: consider that malicious instructions may try to trigger unwanted tool calls. Make sure users have the interfaces they need to understand what’s going on—don’t hide horizontal scrollbars for example!
Servers: ask yourself how much damage a malicious instruction could do. Be very careful with things like calls to os.system(). As with clients, make sure your users have a fighting chance of preventing unwanted actions that could cause real harm to them.
Users: be thoughtful about what you install, and watch out for dangerous combinations of tools."
https://simonwillison.net/2025/Apr/9/mcp-prompt-injection/
#AI #GenerativeAI #LLMs #Chatbots #CyberSecurity #MCP #PromptInjection