agent-security
Safeguard articles tagged "agent-security" — guides, analysis, and best practices for software supply chain and application security.
33 articles
MCP Spec 2025-11-25: Tasks, URL Mode Elicitation, and What Defenders Must Watch
The November 25, 2025 Model Context Protocol release adds Tasks, formalises long-running work, and reshapes the audit story for enterprise MCP.
The MCP Registry and the Namespace-Impersonation Problem
The official MCP Registry launched in September 2025 with namespace-bound publishing. We unpack the trust model and what it does — and does not — defend against.
Devin's Sandbox: What the Autonomous Engineer Threat Model Looks Like
Cognition's Devin executes engineering tasks autonomously in cloud sandboxes. We unpack the trust boundaries, the human checkpoints, and what defenders must require.
Supabase MCP and the Lethal Trifecta: When an Agent Has service_role
A Cursor user's Supabase MCP server was tricked by a support ticket into exfiltrating an integration_tokens table. The bug was not in MCP. It was in the trifecta.
How Malicious Payloads Get Smuggled Into Trusted AI Skill...
Attackers smuggle malicious payloads into trusted AI skill repositories via typosquats, staged fetches, and split-file obfuscation — here is exactly how it works.
MCP Server Permissions: A Practical Checklist for Reducin...
A practical checklist for scoping MCP server permissions, denying risky defaults, and limiting the blast radius when an AI agent's tool access is exploited.
MCP 2025-06-18: OAuth Resource Server Rules Defenders Must Understand
The June 2025 MCP spec made every server an OAuth 2.1 resource server, mandated RFC 8707 resource indicators, and added elicitation. Here is what changes for blue teams.
GitHub MCP Server Private-Repo Exfiltration: The May 2025 Invariant Labs Disclosure
Invariant Labs showed that a malicious GitHub Issue could hijack any MCP-connected agent into leaking private-repo contents. The architecture, not a bug, is the problem.
Line Jumping: How MCP Tool Descriptions Attack Before Tools Are Called
Trail of Bits coined 'line jumping' for prompt injection delivered through MCP tool descriptions on connection. It bypasses every tool-invocation guardrail by design.