When you give an AI agent a named tool via WebMCP, you’re handing it a loaded gun. Prompt injection turns that tool into a direct path for hijackers. Here’s what the Chrome security team says you should lock down first—before your agent starts taking orders from strangers.

The Attack Surface You Didn’t See

WebMCP (Model Context Protocol) is designed to let AI agents call specific tools by name. Clean, fast, developer-friendly. But that same clean route is a perfect highway for prompt injection. An attacker slips a malicious instruction into the prompt—often through harmless-looking external content—and the agent obediently executes it. The tool you exposed becomes a weapon.

Real Risk for Cyprus and EU Businesses

If your site or CRM uses WebMCP to hook an AI customer support agent, a competitor or bad actor could inject a prompt that tells the agent to leak EU client PII. Fines under GDPR start at €20 million or 4% of annual global turnover—whichever is higher. For a small Limassol e-commerce shop, that’s existential. And multi-language agents (EN, RU, EL) multiply the attack surface: each language endpoint is a new injection point.

Chrome’s Priority Lockdown List

Google’s Chrome team—cited by security researcher Slobodan Manić on Search Engine Journal—recommends starting with these three controls:

  • Limit tool scope to read-only where possible. If an agent only needs to fetch order status, don’t give it a tool to update the database. MCP tool permissions should mirror the principle of least privilege.
  • Validate all tool inputs against an allowlist. Reject any parameter that doesn’t match a strict format. For example, if the tool expects an order ID (numeric, 6 digits), drop anything else immediately.
  • Log every tool call with full context. Without audit trails, you’ll never know if an agent was hijacked until it’s too late. Store agent prompts, tool names, parameters, and timestamps. Review logs weekly.

Extra Layer for EU Compliance

If your agent handles personal data, add a fourth rule: never expose tools that can export data to external URLs. Attackers often chain injection with data exfiltration. Block outbound requests from the agent environment entirely, or restrict them to your own API endpoints with rate limits.

Tool Labels Alone Won’t Save You

Naming a tool “getUserEmail” doesn’t stop it from being called by an injected prompt. The agent doesn’t second-guess its instructions. WebMCP gives you a beautiful interface for capability—but without the lockdowns above, it’s an open backdoor. Start with Chrome’s list, add GDPR-level logging, and test with adversarial prompts before going live.

Originally reported by Slobodan Manić on Search Engine Journal.