Research
Agents
-
Agentic Security
Line jumping: how a poisoned MCP tool hijacks a model that was never called
An MCP tool's description is loaded into the model's context at tools/list time — before the tool is ever invoked. That one protocol detail turns a description field into a prompt-injection payload that fires even if the user never touches the tool. Here's the mechanism, the attack classes, and the audit that catches them.
-
Agentic Security
Indirect prompt injection is SSRF for the agent era
SSRF is a server fetching an attacker's URL and trusting the response. Indirect prompt injection is an agent reading attacker content and trusting it as instructions. Same missing boundary between data and control — here are the exact gadgets, the encodings that beat filters, and why 'ignore previous instructions' stopped working years ago.