[Security] EmbeddedResource Injection in MCP Adapter

[calghar]

Hi agno team,

I might have found a vulnerability in agno's MCP adapter that I'd like to disclose responsibly.

The short version: agno/utils/mcp.py calls model_dump_json() on EmbeddedResource objects returned by MCP tool calls, which serializes all Pydantic fields verbatim into the string fed to the LLM. This can be used maliciously and affects agno 2.6.4

I'd prefer to share the full technical details privately and discuss this privately. I noticed the repo doesn't have private security advisory reporting enabled so not sure how to raise this privately

[musaabhasan]

Good call raising this through a private channel rather than posting exploit detail here.

From a maintainer-process perspective, the safest immediate actions would be:

1. Enable GitHub private vulnerability reporting for the repository, or publish a SECURITY.md with a direct disclosure address.
2. Acknowledge the report publicly without asking for proof-of-concept payloads in the discussion thread.
3. Treat serialization of MCP EmbeddedResource objects as a trust-boundary issue, not only a formatting issue. The relevant control is to convert resources into a constrained representation before they are exposed to the model.
4. Add regression tests for hostile resource fields, especially fields that can carry instruction-like text, nested metadata, MIME/type confusion, and unexpected serialized attributes.
5. Document whether MCP resource content is considered trusted, untrusted, or mixed-trust in the adapter.

A robust fix is usually allowlist-based serialization: only pass the fields that the model genuinely needs, preserve provenance/type metadata separately, and avoid dumping full object internals into prompt-visible text. If a field comes from an MCP server or external resource, it should be treated as untrusted content even when the transport itself is authenticated.