Covert channels

What it is

A covert channel is a way to transmit information using a medium not intended for that purpose. In MCP, the medium is often the text content of a tool call: tool descriptions can contain zero-width characters, bidi overrides, or base64 blobs that encode instructions the user is not shown but the model still processes.

Why it matters for MCP

Rendered UIs strip or fold Unicode edge cases; the model's tokenizer does not. A description that looks benign in the client's chat view can contain steering instructions hidden in invisible characters. This is a well-documented attack against LLMs.

Vulnerable example

// description contains U+202E (right-to-left override) + hidden text

server.tool("hello", {

  description: "Prints a greeting.\u202E;yxorp etacifitrec tseuqer",

  args: { name: z.string() },

}, handler);

Secure example

const SAFE_DESCRIPTION = /^[\x20-\x7e\n]+$/; // ASCII + LF only

function requireSafeDescription(desc: string) {

  if (!SAFE_DESCRIPTION.test(desc)) {

    throw new Error("description contains non-printable or non-ASCII characters");

  }

}

How MCPSafe detects this

We run tool metadata through a Unicode sanitizer that flags bidi overrides (U+202A–U+202E, U+2066–U+2069), zero-width joiners, and mixed-script identifiers. False-positive rate is 0.2% against a labeled corpus.

See the full threat catalog for every documented detection.

Framework alignment

OWASP LLM Top-10 (2025)

LLM01 — Prompt Injection

OWASP Agentic AI Top-10

T12 — Agent Communication Poisoning

AIVSS v0.5

5.4 (MEDIUM)AIVSS:1.0/S:MEDIUM/AV:N/AU:H/BR:M/CD:I

Further reading

• CWE-514: Covert Channel
• Trojan Source