Now in early access, book a 30-minute demo →
Threat surface

Internet-Sourced Content

Agents constantly pull outside content into the working environment - web pages, docs, packages, repo issues, SaaS records. Every fetch is both useful input and a delivery channel an attacker can plant into.

Attackerplants upstream Web + docs pagesbrowsed content Package registrypackages, skills, servers Repo contentissues, readmes AI agentpulls into context Secrets + sourceenv vars, keys, code Tool-call hookallow / deny / log plant payload poison package read into context fetched code read into context reads / runs deny before run
Internet-sourced content: an attacker plants payloads upstream, the agent pulls them into context, and the agent's own authority carries them to the endpoint.

Agents do not work from a fixed prompt. To be useful they reach outward constantly, pulling live content into the working environment: web pages while researching, packages and their dependencies while building, issues and READMEs while triaging a repo, and SaaS records through MCP tools. Every one of those fetches is both useful input and a delivery channel, and someone other than the user usually wrote the content that decides what the agent does next.

The fetched content arrives in two forms, and both are dangerous. The first is instructions for the model: text the agent reads with roughly the same standing as the user's own words, the raw material of prompt injection. The second is code for the endpoint: a package, skill, or MCP server the agent installs and runs. One steers the reasoning, the other executes directly, and a single fetch can carry both.

Why this surface exists

The instinct to trust a source because it is read-only is exactly wrong here. For an agent, reading is the action: rendering a page or parsing a README places attacker-authored text into the context window, where its instructions can be followed. There is no separate execute step to gate, as indirect prompt injection explained and the prompt injection page detail.

Browser-using agents widen the channel dramatically. An agent driving a real browser reaches any page on the open internet, including sites no reviewer vetted and content that changes between visits, and it renders whatever it lands on. The controls for that mode are laid out in browser AI security risks and controls.

Attack scenarios

Mitigations

  1. Enumerate the fetch surface. Know which agents, MCP tools, and browser integrations pull external or user-generated content into context. That list is your exposure; you cannot govern fetches you cannot see.
  2. Treat every source as untrusted, read-only included. Drop the distinction between reading and executing for agent input. A page the agent merely renders is input to its next action.
  3. Cut the trifecta, not the text. Natural language cannot be reliably sanitized. Deny the combination instead: least privilege on what agents can read and install, plus an explicit policy on where they can send data.
  4. Enforce at the tool-call boundary. The moment fetched content becomes action is a tool call - a shell command, an install, an outbound request. Evaluating each call against policy before it runs turns a hijacked agent into a denied, logged attempt.

How Anomity helps

Anomity's lightweight Endpoint Sensor inventories every agent, MCP server, skill, and extension that can pull outside content into the environment, recording source, owner, and version for each, so the fetch surface is enumerable instead of invisible. On agents that expose a hook, such as Claude Code's PreToolUse, each tool call - a fetch, an install, an outbound request - is evaluated and allowed, denied, or logged before it runs, which is exactly where an internet-sourced payload turns into action. New packages, skills, and servers surface as change events, violations route to SIEM, Slack, email, and Jira, and every call lands in a queryable 90-day audit trail. The sensor sends metadata only, never source or prompts.

See this surface in your own fleet

Anomity's Endpoint Sensor discovers every AI agent, MCP server, skill, and rules file on every endpoint, and governs each tool call at the hook. Book a 30-minute demo.

Ask AI about Anomity
ChatGPT Claude Perplexity Google AI Grok