@tbrgeek/spotify-mcp-server
Production-ready MCP server for Spotify control with bulletproof error handling
0Tools
18Findings
Mar 24, 2026Last Scanned
5 critical · 10 high · 2 medium · 1 low findings detected
Security Category Deep Dive
Prompt Injection
Prompt & context manipulation attacks
69
Maturity
14
Rules
5
Sub-Categories
1
Gaps
64%
Implemented
56
Tests
1
Stories
Findings8
8 high
highJ5Tool Output Poisoning PatternsMCP01-prompt-injectionAML.T0054
[AST — J5] Catch block at L573 interpolates error variable "error" into response. If the error originates from attacker-controlled input (e.g., malformed data), the error message becomes an injection vector into the AI's context.
Never include user input or LLM manipulation directives in error messages or tool responses. Use structured error codes.
highJ5Tool Output Poisoning PatternsMCP01-prompt-injectionAML.T0054
[AST — J5] Catch block at L621 interpolates error variable "error" into response. If the error originates from attacker-controlled input (e.g., malformed data), the error message becomes an injection vector into the AI's context.
Never include user input or LLM manipulation directives in error messages or tool responses. Use structured error codes.
highJ5Tool Output Poisoning PatternsMCP01-prompt-injectionAML.T0054
[AST — J5] Catch block at L644 interpolates error variable "error" into response. If the error originates from attacker-controlled input (e.g., malformed data), the error message becomes an injection vector into the AI's context.
Never include user input or LLM manipulation directives in error messages or tool responses. Use structured error codes.
highJ5Tool Output Poisoning PatternsMCP01-prompt-injectionAML.T0054
[AST — J5] Catch block at L428 interpolates error variable "error" into response. If the error originates from attacker-controlled input (e.g., malformed data), the error message becomes an injection vector into the AI's context.
Never include user input or LLM manipulation directives in error messages or tool responses. Use structured error codes.
highJ5Tool Output Poisoning PatternsMCP01-prompt-injectionAML.T0054
[AST — J5] Catch block at L464 interpolates error variable "error" into response. If the error originates from attacker-controlled input (e.g., malformed data), the error message becomes an injection vector into the AI's context.
Never include user input or LLM manipulation directives in error messages or tool responses. Use structured error codes.
highJ5Tool Output Poisoning PatternsMCP01-prompt-injectionAML.T0054
[AST — J5] Catch block at L488 interpolates error variable "error" into response. If the error originates from attacker-controlled input (e.g., malformed data), the error message becomes an injection vector into the AI's context.
Never include user input or LLM manipulation directives in error messages or tool responses. Use structured error codes.
highJ5Tool Output Poisoning PatternsMCP01-prompt-injectionAML.T0054
[AST — J5] Catch block at L517 interpolates error variable "error" into response. If the error originates from attacker-controlled input (e.g., malformed data), the error message becomes an injection vector into the AI's context.
Never include user input or LLM manipulation directives in error messages or tool responses. Use structured error codes.
highJ5Tool Output Poisoning PatternsMCP01-prompt-injectionAML.T0054
[AST — J5] Catch block at L545 interpolates error variable "error" into response. If the error originates from attacker-controlled input (e.g., malformed data), the error message becomes an injection vector into the AI's context.
Never include user input or LLM manipulation directives in error messages or tool responses. Use structured error codes.
100%3 rules
Injection via tool descriptions and parameter fields
GAP-001Prompt Injection Coverage GapMissing detection coverage for emerging prompt injection attack variants not addressed by current rules
100%4 rules
Hidden instructions via external content and tool responses
100%2 rules
Context window saturation and prior-approval exploitation
100%3 rules
Payload hiding via invisible chars, base64, schema fields
50%2 rules1 found
Injection via prompt templates and runtime tool output