Prompt injection

[bwalderman]

Tracking issue to discuss prompt injection and how we might mitigate this. Prompt injection in LLMs seems to be a largely unsolved issue.

A great blog post on the topic: https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/. To recap, the "lethal trifecta" of agent capabilities is:

Access to your private data—one of the most common purposes of tools in the first place!
Exposure to untrusted content—any mechanism by which text (or images) controlled by a malicious attacker could become available to your LLM
The ability to externally communicate in a way that could be used to steal your data

Another interesting quote from a related presentation: https://simonwillison.net/2025/Aug/9/bay-area-ai/

Which brings me to my biggest problem with how MCP works today. MCP is all about mix-and-match: users are encouraged to combine whatever MCP servers they like.

This means we are outsourcing critical security decisions to our users! They need to understand the lethal trifecta and be careful not to enable multiple MCPs at the same time that introduce all three legs, opening them up data stealing attacks.

WebMCP, being essentially a port of MCP capabilities to the web, is subject to these risks as well.

[jasonjmcghee]

Here's a great recent post by Brave on this matter, though specifically about the Comet browser by Perplexity, I think it's highly relevant.

https://brave.com/blog/comet-prompt-injection/

[bwalderman]

From #19 (comment)

For data leakage between origins, I've been thinking about a clipboard-like approach where website tools can request to write to a client-managed clipboard without the data ever entering the agent's context. So if you had sensitive info like a social security number on one site, the agent could store it in this clipboard and then when it needs to use it elsewhere, it would need explicit user permission to paste it, but the agent never actually sees the data. This could help maintain separation between origins while still enabling workflows.

I'd like to explore this idea as well. What if all tool outputs were placed in a per-origin clipboard and given a unique ID, and the agent only ever used these IDs to handle information?

[MiguelsPizza]

I would argue it makes sense to have both. The default is the tool output gets dumped to the model's context so it can use the output to inform its next step, whereas tools which the content of the return is implied, sensitive, or too large to reasonably be injected into the model's context, go to the clipboard on an opt-in basis.

Since the clipboard feature is functionally a solution to unwanted data leakage between tool providers, it would make sense to add it to the official MCP spec.

I put the idea out in a discussion before the SEP process was formalized, but I plan to put out a formal SEP for it.

sequenceDiagram
    participant LLM as Model/LLM
    participant Client
    participant Server


    Note over Client,Server: Capabilities Negotiation
    Client->>Server: initialize (with ClientCapabilities.clipboard)
    Server->>Client: InitializeResult (notes support)

    Note over Client,Server: Tool Call Flow
    Client->>Server: tools/call (or resources/read)
    Server->>Client: CallToolResult (content: ClipboardContent {value, metadata e.g., sensitive: true, guardLevel: "prompt"})

    Note over Client: Client-Side Processing
    Client->>Client: Validate support & user approval if sensitive/large
    Client->>Client: Store value in clipboard (e.g., under roots: idb://mcp-clipboard/item.txt)
    Client->>Client: Generate reference (e.g., URI or UUID)
    Client->>Server: Optional: notifications/clipboard_created {reference}

    Note over Client,LLM: Sampling/Prompt Assembly
    Client->>LLM: sampling/createMessage (content with ref as ResourceLink)
    LLM->>LLM: Process context (sees only ref, no raw value)

    Note over LLM,Client: Paste (Resolution) if Needed
    LLM->>Client: Tool call or prompt referencing the clipboard item
    Client->>Client: Apply guards (e.g., user prompt for sensitive, redact/deny if set)
    alt Approved
        Client->>LLM: Resolved/pasted value (or embedded in response)
    else Denied
        Client->>LLM: Error or redacted placeholder
    end

Loading

Happy to bikeshed the SEP here if the WebMCP community wants to co-author it. The MCP contributors discord server might be a better place to discuss though.