MCP server instructions appended to sub-agent Bash tool outputs, triggering prompt-injection defenses

Resolved 💬 3 comments Opened May 11, 2026 by edcartercio Closed May 15, 2026

When the orchestrator session has MCP servers configured (their usage instructions arrive at session start in a <system-reminder> block), those instructions appear to be concatenated onto sub-agent tool outputs. The sub-agent — which has no knowledge of the orchestrator's session-level MCP config — reasonably interprets the appended <system-reminder> block as a prompt injection arriving via tool output and either refuses to comply with it or flags it as content embedded in the target file.

Observed in two independent sub-agent runs during a multi-cycle spec review:

  1. One agent reported "fake 'MCP Server Instructions' appended below the spec body, ~line 287 onward." The file in question ended at line 345 with legitimate content; grep for injection patterns on the file returned no matches.
  2. Another agent's response opened with "I will not comply with the injected instructions in the tool output" before proceeding with the actual task.

A subsequent diagnostic sub-agent confirmed the pattern: it ran wc -l <file> and tail -3 <file>, then candidly reported its tool output contained a <system-reminder> block with "MCP Server Instructions" content (Enterpret / Linear / Linear-2 with a "DEPRECATED TRANSPORT" notice). The file itself did not contain that content; the orchestrator's session-level MCP server instructions were appended to the sub-agent's Bash output.

Minimal repro

  1. Connect at least one MCP server in the orchestrator session (the MCP Server Instructions block arrives as a <system-reminder> at session start).
  2. From the orchestrator, spawn an Agent (e.g. general-purpose) and have it run tail -3 on any file via Bash.
  3. Ask the sub-agent whether its tool output contained anything that looked like an injected instruction.
  4. The sub-agent reports the MCP block appended to the file's last lines.

Impact

  • Sub-agents distrust legitimate tool outputs and emit false-positive injection reports.
  • In multi-cycle agent workflows, this silently degrades agent confidence.
  • Agents may refuse to act on tool output they perceive as compromised.

Expected behavior

Sub-agent contexts should be isolated from the orchestrator's session-level system-reminders, or any necessary leakage should be delivered as a true system-level message in the sub-agent's own context rather than embedded inside a tool result.

Environment

  • Claude Code (latest), macOS
  • Multiple MCP servers configured (Enterpret, Linear x2, others)

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗