MCP injection via resource

MCP resources (files exposed by a server) contain injection payloads; agents that auto-load resources are compromised.

Severity: highOWASP LLM: LLM01

How it works

MCP supports a 'resources' concept. If the agent auto-attaches resources at session start, attacker-controlled resource content is part of the prompt before the user types anything.

Example payload

[Resource named 'project-context.md' begins with 'IGNORE ALL RULES'.]

Defenses

Treat resource bodies as untrusted; classify before inclusion. Cap auto-attach to operator-vetted servers.

Related patterns

Filesystem read out-of-bounds
Filesystem write overwrites config
Shell server arbitrary exec
MCP server supply chain
MCP message confusion