There is no "parameter substitution" equivalent possible. Prompt injection isn't like SQL injection, it has no technical solution (that isn't AGI-complete).
replyPrompt injection is "social engineering" but applied to LLMs. It's not a bug, it's fundamentally just a facet of its (LLM/human) general nature. Mitigations can be placed, at the cost of generality/utility of the system.
> It's not a bug, it's fundamentally just a facet of its (LLM/human) general nature
replyFair enough but then that means that MCP is not "a bit like asking if "an API" was a critical link in some cybersec incident"
Because I can secure an API but I can't secure the the "(LLM/human) general nature."
MCP itself is just an API. Unless the MCP server had a hidden LLM for some reason, it's still piece of regular, deterministic software.
replyThe security risk here is the LLM, not the MCP, and you cannot secure the LLM in such system any more you can secure user - unless you put that LLM there and own it, at which point it becomes a question of whether it should've been there in the first place (and the answer might very well be "yes").