Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Graphon1 5 days ago

It's not a prompt injection _in the MCP Server_. It's injection facilitated by the MCP server that pulls input from elsewhere, eg an email sent to your inbox, a webpage that the agent fetches, or in the comment on a pull request submitted to your repo. [1]

[1] https://www.thestack.technology/copilot-chat-left-vs-code-op...

alias_neo 4 days ago | parent [-]

I'm completely new to this, and know nothing about MCP, but why is it that when it fetches that stuff it isn't just "content"?

We make code and other things benign all of the time when we embed it in pages or we use special characters in passwords etc, is there something about the _purpose_ of MCP that makes this a risk?

structural 4 days ago | parent [-]

A good simplification of what's going on is this little loop:

1. LLM runs using the system prompt + your input as context.

2. Initial output looks like "I need more information, I need to run <tool>"

3. Piece of code runs that looks for tool tags and performs the API calls via MCP.

4. Output of the tool call gets appended as additional context just as if you'd typed it yourself as part of your initial request.

5. Go back to step 1, run the LLM again.

So you can see here that there is no difference between "content" and "prompt". It's all equivalent input to the LLM, which is calling itself in a loop with input that it generated/fetched for itself.

A lot of safety here happens at step #3, trying to look at the LLM's output and go "should I actually perform the tool call the LLM asked for?". In some cases, this is just spitting the tool call at the user and asking them to click Approve/Deny... and after a hundred times the user just blindly presses Approve on everything, including the tool call called "bash(sudo rm -rf /)". Pwned.

alias_neo 4 days ago | parent [-]

Ah, thanks for that break down, makes perfect sense now.

Putting aside the "LLM" part, it seems very similar to the situation where we don't just "exec" stuff from inside code that takes user input, because you're opening up a can of security worms.