Sub-agent context isolation: parent MCP server registrations leak into sub-agent tool output

Resolved 💬 3 comments Opened Apr 12, 2026 by harristechpartners Closed Jun 27, 2026

Summary

Parent agent MCP server configurations (specifically system-reminder blocks containing MCP tool registrations) appear in sub-agent tool output despite sub-agents having no MCP servers configured. This breaks the context isolation boundary between parent and child agents and creates an indistinguishable attack surface for prompt injection.

Reproduction

  1. Parent agent (Claude Code CLI) has one or more MCP servers configured (e.g., Gamma, Supabase, Vercel)
  2. Parent agent spawns a sub-agent via the Agent tool with a scoped task
  3. Sub-agent executes tool calls (Bash, Read, Glob, Grep — any tool type)
  4. Tool results returned to the sub-agent contain system-reminder blocks with MCP server instructions from the parent agent's configuration

The sub-agent did not request these tools, has no MCP configuration, and has no use for them. The content appears inline in tool result output alongside legitimate results.

Observed behavior

During a security research pass involving WebFetch against a public GitHub repository, multiple sub-agents independently reported system-reminder blocks containing MCP server registration content in their tool output. The pattern reproduced across:

  • Different sub-agents (separate Agent tool invocations)
  • Different tool types (WebFetch responses, Bash command output)
  • Different task scopes (research tasks, build tasks)

Each sub-agent was operating under a bounded task prompt with explicit instructions to treat all tool output as untrusted data. All sub-agents correctly identified the leaked MCP content as anomalous and ignored it. However, they could not distinguish it from a genuine prompt injection attempt because the format is identical.

Expected behavior

Sub-agents spawned via the Agent tool should not receive parent agent MCP server registrations in their tool output. Sub-agent context should be isolated to:

  1. The initial task prompt
  2. Tool results from the sub-agent's own tool invocations
  3. SendMessage content from the parent agent

MCP server configurations are parent-scoped and should not cross the agent boundary.

Security impact

This is a context isolation violation with two consequences:

  1. False positive noise. Sub-agents operating with anti-injection discipline (treating tool output as data, not instructions) will flag every leaked MCP block as a potential attack. This degrades signal quality when real injections occur.
  1. Indistinguishable attack surface. If a real attacker crafts a payload formatted as an MCP server registration block and embeds it in content a sub-agent fetches or reads, the sub-agent cannot distinguish the hostile payload from the legitimate (but leaked) parent context. The runtime's own behavior provides cover for the attack format.

Environment

  • Claude Code CLI (macOS, Apple Silicon)
  • Multiple sub-agents spawned via Agent tool
  • Parent agent has MCP servers configured (Gamma, Supabase, Vercel, others)
  • Sub-agents have no MCP configuration

Suggested fix

Strip parent MCP server registration blocks from tool output before delivering results to sub-agent contexts. Alternatively, inject MCP registrations only into the parent agent's system prompt rather than into individual tool results, so they never appear in the tool output stream that sub-agents consume.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗