Prompt Injection

Prompt injection is the most fundamental attack against AI agents. A skill definition or output contains text designed to override the agent original instructions. Instead of doing what you asked, the agent follows the attacker concealed commands.

This works because large language models cannot reliably distinguish between instructions from the user, instructions from the system, and content they are processing. They use delimiter injection (inserting fake [SYSTEM] tags), authority claims, or jailbreak templates that systematically dismantle safety guardrails.

Some injections are invisible to human reviewers but contain instructions buried in formatting, whitespace, or sections the UI truncates. The NLP-based detections Aguara runs go beyond pattern matching to catch these semantic attacks, where the text meaning contradicts its apparent purpose.

Traditional web apps have input validation. You sanitize SQL queries, escape HTML, validate JSON schemas. But AI agents do not have a clean boundary between code and data. The skill definition IS the instruction set. There is no compilation step, no type checker, no sandbox between what the skill says and what the agent does.

This makes prompt injection qualitatively different from SQL injection. With SQL injection, the fix is parameterized queries. With prompt injection, there is no equivalent silver bullet. The agent must read and interpret the skill definition to function, and that is exactly where the attack lives.

For MCP servers specifically, the risk compounds. An agent might be connected to multiple MCP servers simultaneously, each providing capabilities. A single compromised skill definition can influence the agent behavior across all connected servers. One bad actor in a registry of thousands can hijack sessions that include completely legitimate capabilities.

If you are building skills, keep your definitions minimal and declarative. State what the capability does and what parameters it accepts. Do not include example prompts, conversation templates, or instructional text that could be misinterpreted as directives. The less text in your definition, the smaller the attack surface.

If you are choosing skills to install, read the full definition before connecting it to your agent. Look for unusual formatting, text that addresses the agent directly, or instructions that seem unrelated to the stated purpose. Be suspicious of skills with very long definitions, since legitimate capabilities rarely need paragraphs of instruction.

For platform operators running MCP registries: scan every skill submission with static analysis (that is what Aguara does) and flag definitions that contain instruction-like language, delimiter tokens, or authority claims. Automated scanning catches the obvious cases. The sophisticated attacks require ongoing research and updated detection rules, which is why Aguara NLP analyzers complement the pattern-based rules.