MCP server instructions appended to sub-agent Bash tool outputs, triggering prompt-injection defenses
When the orchestrator session has MCP servers configured (their usage instructions arrive at session start in a <system-reminder> block), those instructions appear to be concatenated onto sub-agent tool outputs. The sub-agent — which has no knowledge of the orchestrator's session-level MCP config — reasonably interprets the appended <system-reminder> block as a prompt injection arriving via tool output and either refuses to comply with it or flags it as content embedded in the target file.
Observed in two independent sub-agent runs during a multi-cycle spec review:
- One agent reported "fake 'MCP Server Instructions' appended below the spec body, ~line 287 onward." The file in question ended at line 345 with legitimate content; grep for injection patterns on the file returned no matches.
- Another agent's response opened with "I will not comply with the injected instructions in the tool output" before proceeding with the actual task.
A subsequent diagnostic sub-agent confirmed the pattern: it ran wc -l <file> and tail -3 <file>, then candidly reported its tool output contained a <system-reminder> block with "MCP Server Instructions" content (Enterpret / Linear / Linear-2 with a "DEPRECATED TRANSPORT" notice). The file itself did not contain that content; the orchestrator's session-level MCP server instructions were appended to the sub-agent's Bash output.
Minimal repro
- Connect at least one MCP server in the orchestrator session (the MCP Server Instructions block arrives as a
<system-reminder>at session start). - From the orchestrator, spawn an
Agent(e.g. general-purpose) and have it runtail -3on any file via Bash. - Ask the sub-agent whether its tool output contained anything that looked like an injected instruction.
- The sub-agent reports the MCP block appended to the file's last lines.
Impact
- Sub-agents distrust legitimate tool outputs and emit false-positive injection reports.
- In multi-cycle agent workflows, this silently degrades agent confidence.
- Agents may refuse to act on tool output they perceive as compromised.
Expected behavior
Sub-agent contexts should be isolated from the orchestrator's session-level system-reminders, or any necessary leakage should be delivered as a true system-level message in the sub-agent's own context rather than embedded inside a tool result.
Environment
- Claude Code (latest), macOS
- Multiple MCP servers configured (Enterpret, Linear x2, others)
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗