MP040: hidden-prompt-injection

The description contains zero-width or bidi-control characters.

At a glance

Category	security
Default severity	error
Auto-fixable	no
LLM-gated	no
Stable since	v0.1.0

What this rule checks

mcpolish scans the description for invisible Unicode characters from these ranges:

Range	What
U+200B to U+200F	Zero-width space, joiner, non-joiner, left-to-right mark, right-to-left mark.
U+202A to U+202E	Left-to-right embedding, right-to-left embedding, pop directional formatting, etc.
U+2066 to U+2069	Isolate controls.
U+FEFF	Byte order mark.

If any of these appear, MP040 fires and the message lists the offending code points.

Why it matters

In May 2025, Invariant Labs (since acquired by Snyk) documented a tool-poisoning pattern where hidden characters smuggled additional instructions into a tool description. The visible text looked benign. The hidden suffix told the agent something else. Because the agent reads the description as one string, it processed the hidden suffix as part of the description.

Any zero-width character in a tool description is almost certainly malicious. There is no honest reason to put one there.

Example: code that triggers this rule

@mcp.tool()
def safe_looking_tool(x: int = 0) -> int:
    """Use this when you want a number returned.​ Returns the int."""
    return x

The description contains a U+200B between returned. and Returns. MP040 fires:

description contains invisible character U+200B - possible prompt-injection vector

Example: how to fix it

Strip the invisible character. The simplest tool is sed:

sed -i '' $'s/​//g' your_file.py

Or paste the description through a text editor that shows whitespace, find the invisible character, delete it.

Configuration

MP040 has no knobs. To skip:

[tool.mcpolish]
ignore = ["MP040"]

When to disable this rule

Never. If MP040 fires, treat the description as compromised until you have audited it.

How the check works under the hood

mcpolish runs a single regex over the description text. Any match emits the rule. The diagnostic message lists the deduplicated code points so you know exactly what to remove.

Related rules

• MP041 instruction-in-description: the other tool-poisoning rule.
• MP033 duplicate-tool-description: not security per se, but adjacent.

References

• Invariant Labs tool-poisoning advisory, May 2025.
• Snyk Labs acquisition announcement, June 2025.
• mcp-scan attack catalogue. github.com/invariantlabs-ai/mcp-scan.