Tenable Research has published a blog post titled “MCP Prompt Injection: Not Just for Evil,” which demonstrates how techniques similar to prompt injection can be used to audit, log, and firewall Large Language Model (LLM) tool calls running over the Model Context Protocol (MCP). The Model Context Protocol (MCP) is a new standard from Anthropic that allows AI chatbots to work independently, but it also introduces new security risks. The research explains these dangers in plain language and shows how these techniques can be used to log, inspect, and control every tool an AI tries to run.

As enterprises rush to connect LLMs with business-critical tools, understanding both the risks and defensive opportunities in MCP is essential for CISOs, AI engineers, and security researchers.

“MCP is a rapidly evolving and immature technology that’s reshaping how we interact with AI,” said Ben Smith, senior staff research engineer at Tenable. “MCP tools are easy to develop and plentiful, but they do not embody the principles of security by design and should be handled with care. So, while these new techniques are useful for building powerful tools, those same methods can be repurposed for nefarious means. Don’t throw caution to the wind; instead, treat MCP servers as an extension of your attack surface.”

Key Research Highlights

  • Cross-model behaviour varies –
    • Claude Sonnet 3.7 and Gemini 2.5 Pro Experimental reliably invoked the logger and exposed slices of the system prompt.
    • GPT-4o also inserted the logger but produced different (sometimes hallucinated) parameter values on each run.
  • Security upside: The same mechanism that an attacker might exploit can help defenders audit toolchains, detect malicious or unknown tools, and build guardrails inside MCP hosts.
  • Explicit user approval: MCP already requires explicit user approval before any tool executes; this research underscores the need for strict least-privilege defaults and thorough individual tool review and tool testing.

The full research can be found here.