Looks like the worst of these attacks can be prevented by building MCP servers on sandboxed environments, like what Deno provides for example, or in a VM.
I think it is important to understand the difference between instruction and implementation level attacks.
Yes, running unsafe bash commands in the implementation can be prevented by sandboxing. Instruction level attacks like tool poisoning, cannot be prevented like this, since they are prompt injections and hijack the executing LLM itself, to perform malicious actions.
