MCP is the USB-C of AI agents. The official servers' prompt-level defenses are alarmingly bad. For readers who haven't met it yet: Model Context Protocol (MCP) is Anthropic's open spec for letting LLMs call external tools — file readers, databases, APIs — through a standard interface. Think of it as the universal port that turns any agent into a Swiss Army knife. April was the month the agent infrastructure community stopped sleeping on this. Cloudflare and collaborators published the Comment & Control disclosure: Claude Code Security Review, Gemini CLI Action, and GitHub Copilot Agent were all hijacked by prompt injection embedded inside GitHub Issue comments. The attack surface wasn't a bug in the LLM — it was the trust contract between the agent and the tool description. So we ran the audit nobody had run yet. Here's what we found. Why we ran this audit Three reasons stacked on top of each other: The Comment & Control disclosure put a spotlight on tool-description-based attacks.…