Risk

crates/zeph-mcp/src/pruning.rs interpolates raw MCP tool descriptions into the pruning prompt:

lines.push_str(&format!("- {}: {}\n", t.name, t.description));

An attacker-controlled MCP server can inject newlines and prompt-manipulation content into the pruning LLM call. The whitelist validation on returned tool names (line ~112) prevents tool-name injection but not selector manipulation.

Mitigation required

Before the prune_tools wiring PR:

1. Strip newlines and control characters from t.description before interpolation
2. Cap description at 200 characters

Severity

HIGH (not exploitable today — function is unwired, but must be fixed before wiring)

Component

zeph-mcp (pruning.rs)