- References
The attack described involves an agent, interacting with GitHub via MCP, being tricked by a malicious GitHub issue in a public repository. This issue contains a prompt injection that coerces the agent to first access a private repository and then exfiltrate its data into a public pull request. Our SCITT-based approach can defend against this by validating each tool call against context-aware policies before execution.