Now in early access, book a 30-minute demo →
Threat surface

The Context Window

Every input an agent reads - the user's prompt, rules and skills files, fetched web pages, and tool output - lands in one context window with the same standing, which makes it the central trust boundary of agentic AI.

Rules + skills filesclaude.md / skill.md User prompttyped instructions Web + MCP outputfetched pages, results Context windowall inputs, one plane Endpoint + toolsshell, files, secrets Tool-call hookallow / deny / log loaded each session prompt read into context acts with authority deny before run
Inputs of every kind converge in one context window; the agent then acts with the endpoint's authority, so the window is where trust is decided.

Every agentic action begins in the context window: the span of text the model reads before it acts. Into it go the system prompt, the user's request, the rules and skills files loaded at startup, the files it opens, the pages it fetches, and the output of every tool and MCP server it calls. The model does not receive these as separate, privilege-tagged channels; it receives one stream of tokens. That is what makes the context window the central trust boundary of agentic AI, and where every instruction-layer attack ultimately executes. Traditional perimeters sit at the network edge; for an agent the decisive event is a token sequence entering the window and redirecting the endpoint's authority. The context window is the new perimeter.

Why this surface exists

The context window is a surface, not a bug. A language model predicts a continuation of the text it is shown, so instructions and data are the same substance to it: tokens that influence the next token. No model-level tag marks the user's words as trusted and a fetched page as inert, so an instruction placed in supposed data can override the role markers vendors add - which is why indirect prompt injection has no clean patch.

Two properties widen the surface. Breadth: what can write into context grows with every MCP server, skill, and integration, most pulling in content the agent did not author. Persistence: the user's prompt lasts one turn, but rules files (CLAUDE.md, AGENTS.md) and memory files reload every session, so a payload planted in one runs again and again without the attacker returning - the mechanism behind AI agent memory poisoning.

Attack scenarios

Mitigations

  1. Assume no privilege separation inside the window. Treat any input the agent can read as potentially carrying instructions; do not rely on the model knowing a span was only data.
  2. Constrain what reaches the window. Inventory every channel that writes into context - agents, MCP servers, skills, rules files - and treat that list as your attack surface. You cannot govern inputs you have not enumerated.
  3. Enforce at the exit, not the entrance. The text going in cannot be sanitized, so put the control where influence becomes action: the tool call. A hook that evaluates each call before it runs breaks the chain regardless of how the instruction arrived.
  4. Watch persistent inputs, and keep the trail. Rules and memory files replay every session, so treat a change to one as a reviewable change event. Keep tool calls queryable long enough to reconstruct what was read and done.

How Anomity helps

Anomity's lightweight, unprivileged Endpoint Sensor discovers the channels that feed the context window across Windows, macOS, and Linux - the AI agents, MCP servers, skills, extensions, and rules files on each endpoint, with source, owner, and version - and flags changes to rules and memory files as change events. On agents that expose a hook, such as Claude Code's PreToolUse, it evaluates each tool call and returns allow, deny, or log before it runs, enforcing at the exit even after hostile text has entered the window. It sends metadata only, never prompts or source code, and routes violations to SIEM, Slack, email, and Jira with a queryable 90-day audit trail.

See this surface in your own fleet

Anomity's Endpoint Sensor discovers every AI agent, MCP server, skill, and rules file on every endpoint, and governs each tool call at the hook. Book a 30-minute demo.

Ask AI about Anomity
ChatGPT Claude Perplexity Google AI Grok