[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-82992-en":3,"doc-seo-82992-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},82992,7971461740886,"Theodore","https://ap-avatar.wpscdn.com/davatar_3d24733baf745e90a7e4bdd5f77d97b2",6,"Technology","Unicode TAG-Block Concealment of Tool-Metadata Payloads in the Model Context Protocol","Model Context Protocol (MCP) enables coding agents to discover and invoke external tools by rendering tool metadata during a one-time approval dialog and then injecting that metadata verbatim into the model context on subsequent turns. The protocol does not require the rendered approval view to match the bytes the model receives. This work isolates a structural mechanism—concealment encoding—showing Unicode TAG block characters can remain invisible to human reviewers while surviving byte-for-byte into the model tokenizer. Experiments across multiple MCP implementations assess defenses, re-approval behavior, and cross-library reproducibility.","Unicode TAG-Block Concealment of Tool-Metadata Payloads in the Model Context Protocol: An Approval-View Fidelity Gap Across Three Independent Server  \nImplementations  \nMohammadreza Rashidi   \nDepartment of Computer Science  \nAI and Media Analysis Lab  \nBerlin, Germany  \n[mohammadreza.rashidi@ue-germany.de](mohammadreza.rashidi@ue-germany.de)  \narXiv :2607 .05744v 1 [ cs .CR] 7 Jul 2026  \nAbstract—The Model Context Protocol (MCP) has become the dominant way coding agents discover and invoke external tools. A server advertises each tool through a tools/list handshake that returns a name, a natural-language description, anda JSON input schema; the client renders this metadata once, in a one-time approval dialog, and then injects it verbatim into the model’s context on every subsequent turn. Nothing in the protocol requires the rendered approval view and the bytes delivered to the model to match. We isolate that gapas a single structural mechanism, concealment encoding, and show with a model-free, protocol-free analysis that Unicode’s TAG block (U+E0000–U+E007F) has no assigned glyph in any mainstream terminal, chat, or IDE renderer, so a payload written in it is absent from what a human reviewer sees while surviving byte-for-byte into the model’s tokenizer. We then measure whether this mechanism, and the surface it generalizes across, actually defeats today’s client-side defenses, building a proof-of-concept that speaks the real MCP JSONRPC/stdio protocol against a genuine client and server. Across 5 distinct MCP metadata surfaces we implement 8 concrete techniques with a deterministic, protocol-level harness. All 8/8 techniques deliver an attacker-controlled payload into the model’s context; 4/8 evade a representative string-matching sanitizer; and, exactly as the mechanism analysis predicts, only the TAG-block encoding (1/8) is invisible in the human approval view while still reaching the model verbatim, making it the only technique in our set that defeats both defense layers at once. We further show that MCP forces re-approval for 0/8 techniques even under a time-of-check to time-of-use “rugpull,” and we distill the structural fix the protocol currently lacks: approval views must be byte-faithful, not merely visually plausible. To test whether these outcomes are a property of the protocol or an artifact of one server codebase, we re-implement the full technique catalogue against 3 independently developed Python MCP server libraries and find total agreement across all 32 cross-library outcome cells, and we confirm the baseline sanitizer does not simply reject everything by checking it against 25 representative benign tool descriptions, 0 of which are flagged.  \nIndex Terms—Model Context Protocol, tool poisoning, prompt injection, Unicode concealment, confused deputy, agent security, sanitizer evasion  \n1. Introduction  \nCoding agents built on the Model Context Protocol (MCP) delegate a growing share of their capability to thirdparty tool servers. When an agent connects to a server it performs a tools/list handshake and injects the returned tool metadata (each tool’s name, natural-language description, and JSON input schema) directly into the model’s context so that the model can decide when and how to call each tool. Crucially, the same metadata is the only thing a user sees before approving a server: a mainstream client renders the tool names and (sometimes) descriptions in an approval dialog, the user clicks “allow,” and from then on the metadata flows into the model on every turn.  \nThis design silently makes tool metadata a promptdelivery channel under attacker control. A malicious or compromised server never has to exploit a memory-safety bug or escape a sandbox; it simply writes instructions into the fields the protocol was built to trust. The stakes are higher for coding agents specifically than for the general tool-augmented chatbot case the wider prompt-injection literature usually studies: a coding agent’s execution ","cbCairMMICHOrlqX","https://ap.wps.com/l/cbCairMMICHOrlqX","pdf",808739,1,15,"English","en",105,"# Introduction\n## MCP tool discovery and approval-time metadata flow\n## Concealment encoding as a structural mechanism\n## Threat framing for coding agents","[{\"question\":\"How does MCP move tool metadata from a server into the model after approval?\",\"answer\":\"An agent performs a tools/list handshake, receives tool metadata (name, natural-language description, JSON input schema), shows it in a one-time approval view, and then injects the same metadata verbatim into the model context on every subsequent turn.\"},{\"question\":\"What is “concealment encoding” in this paper?\",\"answer\":\"Concealment encoding refers to using a character encoding where the renderer displays the payload to a human approval step when it should, but drops or cannot display it when it should not—while still delivering the original bytes to the model.\"},{\"question\":\"What were the experimental results against client-side defenses and approval-view fidelity?\",\"answer\":\"Across eight attacker-controlled techniques, all 8 delivered payloads into the model context, four evaded a string-matching sanitizer, and only the TAG-block encoding was invisible in the human approval view while still reaching the model verbatim, defeating both defense layers simultaneously. MCP re-approval failed for 0/8 techniques even under a time-of-check to time-of-use scenario.\"}]",1784184510,38,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"unicode-tag-block-concealment-of-tool-metadata-payloads-in-the-model-context-protocol","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/technology/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/unicode-tag-block-concealment-of-tool-metadata-payloads-in-the-model-context-protocol/82992/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"How does MCP move tool metadata from a server into the model after approval?","Question",{"text":75,"@type":76},"An agent performs a tools/list handshake, receives tool metadata (name, natural-language description, JSON input schema), shows it in a one-time approval view, and then injects the same metadata verbatim into the model context on every subsequent turn.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"What is “concealment encoding” in this paper?",{"text":80,"@type":76},"Concealment encoding refers to using a character encoding where the renderer displays the payload to a human approval step when it should, but drops or cannot display it when it should not—while still delivering the original bytes to the model.",{"name":82,"@type":73,"acceptedAnswer":83},"What were the experimental results against client-side defenses and approval-view fidelity?",{"text":84,"@type":76},"Across eight attacker-controlled techniques, all 8 delivered payloads into the model context, four evaded a string-matching sanitizer, and only the TAG-block encoding was invisible in the human approval view while still reaching the model verbatim, defeating both defense layers simultaneously. MCP re-approval failed for 0/8 techniques even under a time-of-check to time-of-use scenario.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,110,113,118,123,128,131,135],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":111,"slug":112},50,"technology",{"id":114,"doc_module":4,"doc_module_name":45,"category_name":115,"show_sort_weight":116,"slug":117},7,"Healthcare",40,"healthcare",{"id":119,"doc_module":4,"doc_module_name":45,"category_name":120,"show_sort_weight":121,"slug":122},8,"Research & Report",30,"research-report",{"id":124,"doc_module":4,"doc_module_name":45,"category_name":125,"show_sort_weight":126,"slug":127},9,"Religion & Spirituality",20,"religion-spirituality",{"id":126,"doc_module":4,"doc_module_name":45,"category_name":129,"show_sort_weight":126,"slug":130},"World Cup","world-cup",{"id":132,"doc_module":4,"doc_module_name":45,"category_name":133,"show_sort_weight":132,"slug":134},10,"Lifestyle","lifestyle",{"id":136,"doc_module":4,"doc_module_name":45,"category_name":137,"show_sort_weight":106,"slug":138},19,"General","general"]