research(security): cross-tool prompt injection taxonomy — 7 MCP clients evaluated, static validation insufficient (arXiv:2603.21642)

[bug-ops]

Source

arXiv:2603.21642 — Are AI-assisted Development Tools Immune to Prompt Injection?

Finding

Evaluates 7 MCP clients (Claude Desktop, Claude Code, Cursor, Cline, Continue, Gemini CLI, Langflow) for prompt injection resistance. Finds cross-tool poisoning (injected description in tool A affects tool B's invocation) and hidden parameter exploitation are widespread. Static description validation (regex/keyword scanning) is the primary but insufficient defense — dynamic behavioral validation needed.

Zeph applicability

• Directly extends PR security(mcp): tool poisoning detection and per-tool trust metadata (#2459, #2420) #2472 (tool poisoning detection): Zeph's 16 injection patterns are static — the paper identifies cross-tool poisoning as a gap in static approaches
• Hidden parameter exploitation: ToolSecurityMeta tracks capability class but not parameter-level injection patterns
• Behavioral validation: AdversarialPolicyGateExecutor does LLM-based validation per tool call but not cross-tool correlation
• Implementation sketch: add cross-tool injection correlation in sanitize_tools(); flag when tool description references another tool's name or parameters

Closes partial gap in #2459 (MCP tool poisoning)

[bug-ops]

Additional findings (2026-03-31)

Two related papers strengthen the case for this issue:

arXiv:2603.28013 — Kill-Chain Canaries (March 30, 2026)

Kill-Chain Canaries: Stage-Level Tracking of Prompt Injection Across Attack Surfaces and Model Safety Tiers

Embeds cryptographic canaries at each stage of the tool execution pipeline to track whether injected payloads propagate across stages. Key finding: model safety depends on cross-stage propagation, not just initial exposure. A payload blocked at stage 1 may still activate at stage 3 via indirect context.

Implication for Zeph: ContentSanitizer and ExfiltrationGuard operate at the output layer. Kill-chain canary tracking would enable detecting payloads that survive sanitization and re-surface in later turns via memory or context injection. Extends the static tool-poisoning detection in #2472.

arXiv:2603.24203 — TIP: Invisible MCP Injection (March 25, 2026)

Invisible Threats from Model Context Protocol: Generating Stealthy Injection Payload via Tree-based Adaptive Search

Black-box attack (TIP) that generates natural-looking injection payloads via tree-based adaptive search. Achieves >95% attack success in undefended settings and maintains effectiveness against defensive mechanisms (including static content filters). Evaluated specifically against MCP-enabled agents.

Implication for Zeph: the pre-execution verifier and UrlGroundingVerifier are static — they do not detect semantically natural payloads. TIP attacks would likely bypass the current defense stack. Suggests need for semantic (LLM-based) injection detection, not just pattern matching.

[bug-ops]

Additional paper: arXiv:2603.22489 — "Model Context Protocol Threat Modeling and Analyzing Vulnerabilities to Prompt Injection with Tool Poisoning".

Key findings:

• "Tool poisoning" (malicious instructions embedded in MCP tool metadata, not user input) identified as M0: Project bootstrap — workspace and crate skeleton #1 client-side MCP attack vector
• Evaluates 7 MCP clients; most are vulnerable
• Proposes multi-layer defense: metadata analysis, decision tracking, anomaly detection, user transparency

Different from the cross-tool taxonomy in this issue (2603.21642) — focuses specifically on tool metadata as the attack surface rather than prompt injection through tool outputs. Zeph's zeph-mcp should audit tool metadata at registration time.