Sub-agent context isolation: parent MCP server registrations leak into sub-agent tool output
Summary
Parent agent MCP server configurations (specifically system-reminder blocks containing MCP tool registrations) appear in sub-agent tool output despite sub-agents having no MCP servers configured. This breaks the context isolation boundary between parent and child agents and creates an indistinguishable attack surface for prompt injection.
Reproduction
- Parent agent (Claude Code CLI) has one or more MCP servers configured (e.g., Gamma, Supabase, Vercel)
- Parent agent spawns a sub-agent via the Agent tool with a scoped task
- Sub-agent executes tool calls (Bash, Read, Glob, Grep — any tool type)
- Tool results returned to the sub-agent contain
system-reminderblocks with MCP server instructions from the parent agent's configuration
The sub-agent did not request these tools, has no MCP configuration, and has no use for them. The content appears inline in tool result output alongside legitimate results.
Observed behavior
During a security research pass involving WebFetch against a public GitHub repository, multiple sub-agents independently reported system-reminder blocks containing MCP server registration content in their tool output. The pattern reproduced across:
- Different sub-agents (separate Agent tool invocations)
- Different tool types (WebFetch responses, Bash command output)
- Different task scopes (research tasks, build tasks)
Each sub-agent was operating under a bounded task prompt with explicit instructions to treat all tool output as untrusted data. All sub-agents correctly identified the leaked MCP content as anomalous and ignored it. However, they could not distinguish it from a genuine prompt injection attempt because the format is identical.
Expected behavior
Sub-agents spawned via the Agent tool should not receive parent agent MCP server registrations in their tool output. Sub-agent context should be isolated to:
- The initial task prompt
- Tool results from the sub-agent's own tool invocations
- SendMessage content from the parent agent
MCP server configurations are parent-scoped and should not cross the agent boundary.
Security impact
This is a context isolation violation with two consequences:
- False positive noise. Sub-agents operating with anti-injection discipline (treating tool output as data, not instructions) will flag every leaked MCP block as a potential attack. This degrades signal quality when real injections occur.
- Indistinguishable attack surface. If a real attacker crafts a payload formatted as an MCP server registration block and embeds it in content a sub-agent fetches or reads, the sub-agent cannot distinguish the hostile payload from the legitimate (but leaked) parent context. The runtime's own behavior provides cover for the attack format.
Environment
- Claude Code CLI (macOS, Apple Silicon)
- Multiple sub-agents spawned via Agent tool
- Parent agent has MCP servers configured (Gamma, Supabase, Vercel, others)
- Sub-agents have no MCP configuration
Suggested fix
Strip parent MCP server registration blocks from tool output before delivering results to sub-agent contexts. Alternatively, inject MCP registrations only into the parent agent's system prompt rather than into individual tool results, so they never appear in the tool output stream that sub-agents consume.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗