Every agentic action begins in the context window: the span of text the model reads before it acts. Into it go the system prompt, the user's request, the rules and skills files loaded at startup, the files it opens, the pages it fetches, and the output of every tool and MCP server it calls. The model does not receive these as separate, privilege-tagged channels; it receives one stream of tokens. That is what makes the context window the central trust boundary of agentic AI, and where every instruction-layer attack ultimately executes. Traditional perimeters sit at the network edge; for an agent the decisive event is a token sequence entering the window and redirecting the endpoint's authority. The context window is the new perimeter.
Why this surface exists
The context window is a surface, not a bug. A language model predicts a continuation of the text it is shown, so instructions and data are the same substance to it: tokens that influence the next token. No model-level tag marks the user's words as trusted and a fetched page as inert, so an instruction placed in supposed data can override the role markers vendors add - which is why indirect prompt injection has no clean patch.
Two properties widen the surface. Breadth: what can write into context grows with every MCP server, skill, and integration, most pulling in content the agent did not author. Persistence: the user's prompt lasts one turn, but rules files (CLAUDE.md, AGENTS.md) and memory files reload every session, so a payload planted in one runs again and again without the attacker returning - the mechanism behind AI agent memory poisoning.
Attack scenarios
- Single-turn injection. The agent fetches a web page or README mid-task; hidden text in it carries instructions that, sitting in the same window as the user's request, get acted on rather than merely read.
- Persistent context poisoning. An attacker writes instructions into a rules or memory file once. Every session reloads it, so the compromise survives restarts and reads as ordinary configuration - see what agent skills are.
- Trifecta assembly. Harmless inputs combine in one window: a skill granting a data-reading tool, a page carrying an instruction, and an MCP tool that reaches the internet - the lethal trifecta for exfiltration.
- Tool-output relay. A tool call's result - a database row, an email body, a ticket - lands in context carrying an instruction that steers the next call, so untrusted output becomes the next command.
Related surfaces
- Internet-sourced content - web and SaaS content pulled in by fetches and browsing.
- Malicious MCP servers and malicious agent skills - the supply chain that ships payloads into the window.
- Malicious AI rules - the persistent, reloaded-every-session variant.
- Prompt injection - the attack that executes once hostile text is in the window.
Mitigations
- Assume no privilege separation inside the window. Treat any input the agent can read as potentially carrying instructions; do not rely on the model knowing a span was only data.
- Constrain what reaches the window. Inventory every channel that writes into context - agents, MCP servers, skills, rules files - and treat that list as your attack surface. You cannot govern inputs you have not enumerated.
- Enforce at the exit, not the entrance. The text going in cannot be sanitized, so put the control where influence becomes action: the tool call. A hook that evaluates each call before it runs breaks the chain regardless of how the instruction arrived.
- Watch persistent inputs, and keep the trail. Rules and memory files replay every session, so treat a change to one as a reviewable change event. Keep tool calls queryable long enough to reconstruct what was read and done.
How Anomity helps
Anomity's lightweight, unprivileged Endpoint Sensor discovers the channels that feed the context window across Windows, macOS, and Linux - the AI agents, MCP servers, skills, extensions, and rules files on each endpoint, with source, owner, and version - and flags changes to rules and memory files as change events. On agents that expose a hook, such as Claude Code's PreToolUse, it evaluates each tool call and returns allow, deny, or log before it runs, enforcing at the exit even after hostile text has entered the window. It sends metadata only, never prompts or source code, and routes violations to SIEM, Slack, email, and Jira with a queryable 90-day audit trail.




