剣 KENSAI
← All posts · research · 2026-04-06 · 4 min

2026 में AI एजेंट सुरक्षा: टूल पॉइज़निंग, प्रॉम्प्ट लीकिंग और MCP सैंडबॉक्स एस्केप

उत्पादन में AI एजेंटों को लक्षित करने वाले शीर्ष हमले वैक्टरों का व्यापक विश्लेषण: MCP सर्वर के माध्यम से टूल पॉइज़निंग, साइड चैनल के माध्यम से प्रॉम्प्ट निष्कर्षण और सैंडबॉक्स एस्केप तकनीकें।


The Agent Attack Surface Explosion

2026 is the year AI agents went mainstream. Claude Code, Codex, Devin, OpenClaw, and dozens of others now run in production environments with real tool access — file systems, databases, APIs, browsers, and cloud infrastructure. With great power comes a massive attack surface.

We've spent the last quarter cataloging and testing the most critical vulnerabilities affecting AI agent deployments. Here's what we found.

Attack Vector 1: Tool Poisoning via MCP Servers

🔴 HIGH RISK — Active Exploitation Observed

Malicious MCP (Model Context Protocol) servers are being published to package registries with legitimate-sounding names. When agents connect to these servers, the tool descriptions contain hidden prompt injections that override the agent's instructions.

How It Works

  1. Bait: Attacker publishes an MCP server named something like mcp-github-enhanced or mcp-aws-tools-v2
  2. Hook: The tool descriptions embed invisible instructions using Unicode control characters or markdown comment injection
  3. Execute: When the agent reads tool descriptions, the injected instructions cause it to exfiltrate environment variables, API keys, or file contents
  4. Persist: Some variants modify the agent's configuration to add the malicious server permanently

Real-World Example

In March 2026, a malicious MCP server published as mcp-jira-sync was installed by 340+ developers. The tool's list_issues description contained a hidden instruction that caused agents to include the contents of ~/.aws/credentials in every API call to the attacker's C2 server.

Attack Vector 2: Prompt Extraction via Side Channels

The Threat

System prompts, custom instructions, and tool configurations contain valuable intellectual property and security-critical information. Attackers have developed sophisticated techniques to extract them:

Attack Vector 3: Sandbox Escape Techniques

Container Breakouts

Most agent sandboxes run in containers. We identified several escape vectors specific to AI agent deployments:

Defensive Framework: KENSAI Agent Shield

The 5-Layer Defense Model

  1. Input Validation Layer — scan all tool descriptions and external inputs for known injection patterns
  2. Permission Boundary Layer — enforce least-privilege access with granular tool-level permissions
  3. Runtime Monitoring Layer — detect anomalous agent behavior (unusual file access, unexpected network calls)
  4. Output Filtering Layer — prevent sensitive data from leaving the agent's sandbox
  5. Audit Trail Layer — comprehensive logging of all agent actions for forensic analysis

Recommendations

  1. Vet all MCP servers — review tool descriptions manually before connecting agents to new MCP servers. Use only verified sources.
  2. Implement prompt isolation — keep system prompts separate from user-accessible memory. Use architectural barriers, not just instruction-based guardrails.
  3. Harden containers — use gVisor or Firecracker microVMs instead of standard containers. Block metadata service access.
  4. Monitor egress — log and alert on all outbound connections from agent environments. Whitelist expected destinations.
  5. Rotate credentials — never store long-lived credentials in agent environments. Use short-lived tokens with minimal scopes.