Unicode Attack

Unicode attacks exploit the gap between what humans see and what computers process. Unicode has thousands of special characters that are invisible (zero-width joiners, soft hyphens, byte-order marks), that reverse text direction (right-to-left override), that look identical to ASCII characters (homoglyphs like Cyrillic a vs. Latin a), or that insert invisible formatting instructions.

In the AI agent context, these characters serve as concealment tools. An attacker can embed invisible instructions in a skill description that a human reviewer cannot see but an AI agent processes. A file name can appear to end in .txt but actually end in .exe when a right-to-left override character reverses the displayed text. A URL can look like it points to google.com but actually points to a lookalike domain using Cyrillic characters.

Aguara unicode detection rule catches the presence of suspicious Unicode characters in skill definitions: zero-width characters, bidirectional overrides, homoglyph substitutions, and other Unicode tricks that are commonly used for concealment or deception. While there are legitimate uses for some of these characters in internationalized text, their presence in a skill code or metadata is almost always suspicious.

AI agents are particularly vulnerable to Unicode attacks because they process text at the byte level while their "understanding" operates at the semantic level. An agent will process an invisible zero-width space between two words even if it does not affect the visible output. A bidirectional override character can make a code snippet appear to do one thing while actually doing another, and the agent will execute the actual version, not the displayed version.

The review problem is severe. A skill description containing "Please run the following safe command" could contain, between "safe" and "command," an invisible sequence of zero-width characters that encode an entirely different instruction in a format the agent recognizes. No human reviewer would catch this because the characters are literally invisible. Automated text analysis tools often strip these characters before processing, which means they would miss the attack too.

For MCP specifically, Unicode attacks can bypass security filters. If a security scanner checks for a dangerous pattern but the skill description contains zero-width characters inserted within the pattern, a naive scanner misses it. The shell or interpreter, however, may process the text differently depending on the implementation, potentially executing despite the inserted character.

Normalize all Unicode text before processing it. Apply Unicode NFKC normalization to skill descriptions, tool definitions, parameter values, and file paths. This collapses many homoglyph substitutions and removes some invisible characters. It is not a complete defense, but it eliminates the low-effort attacks.

Strip invisible and formatting Unicode characters from skill metadata. Zero-width spaces, zero-width joiners, bidirectional overrides, and byte-order marks have no place in a tool name, description, or parameters. If a skill contains these characters, either strip them automatically or flag the skill for manual review.

As a user, be wary of copy-pasted commands and URLs from skill descriptions. When in doubt, retype commands manually rather than copying them. If a skill description looks normal but the scanner flags Unicode issues, take the warning seriously. The mismatch between what you see and what is actually in the text is exactly the point of the attack.