MCP security: prompt injection and tool poisoning
As MCP adoption surged, so did its attack surface. The risks are real and worth understanding before you connect any AI tool to a firm's project data — including ours.
The lethal trifecta
Security researcher Simon Willison's framing (June 2025) is the clearest: an AI agent is dangerous when it combines three things at once — access to private data, exposure to untrusted content, and the ability to communicate externally. Put those together and a malicious instruction hidden in a document can make the agent fetch private data and send it out. Remove any one leg and the risk drops sharply.
Tool poisoning and rogue servers
Two MCP-specific patterns followed the hype. Prompt injection hides instructions in content the model reads — the May 2025 GitHub MCP "data heist" demonstration is a well-known example. Tool poisoning hides malicious instructions in a tool's own metadata, invisible to the user but read by the model. By 2026 the consensus had shifted: AI-agent security is a supply-chain problem first — one 2026 analysis cited researchers finding hundreds of MCP servers exposed to the internet with no authentication at all (reported figure; treat as indicative).
What actually reduces the risk
- Connect only MCP servers you trust; treat an unvetted server like unvetted software.
- Require authentication; never expose a server without it.
- Practice least privilege and bounded scope — don't hand a tool your entire drive.
- Keep a human in the loop for any consequential action.
What this means for an AEC firm
This is exactly why a review tool should be authenticated, server-side, and bounded — and why you can start with one submittal or one spec section rather than a whole-server data grab. Vet any MCP server before pointing it at client documents, and have your IT and counsel confirm your account's data controls. AECdesign.ai keeps the engineer of record in the loop by design; the security model is part of the product, not a bolt-on.
Sources
- The lethal trifecta for AI agents — Simon Willison (June 16, 2025).
- Model Context Protocol has prompt injection security problems — Simon Willison.
- A Timeline of Model Context Protocol Security Breaches — AuthZed.
- AI Agent Security Risks in 2026 — Cyber Desserts (supply-chain framing; exposed-server figure).
Draft, not determination. Every substantive AECdesign.ai result is a draft. A licensed engineer of record must review, revise, accept, or reject each finding before it is issued. AECdesign.ai never provides a sealed determination.
An authenticated, bounded review tool.
Request the managed Review Desk or self-serve platform access; we quote the right path in writing before billing.