Cascade is an agent: it reads your files, fetches URLs, and runs tools on your behalf. That power is also the risk, because anything it reads can carry instructions, and untrusted content can hijack it into doing something you never asked, like reading your .env and sending it to an attacker. Researchers have shown this against Windsurf in practice. The same injection class reaches your users if your shipped app embeds an LLM. Here is how prompt injection works in this setting and how to contain it.
Short answer
Prompt injection is when untrusted content hijacks an AI's instructions. In Windsurf's Cascade agent, text hidden in a README, a fetched URL, or a malicious MCP server's output can make the agent read a file such as .env and exfiltrate it through a tool call, sometimes one that runs without your approval. Per the OWASP Top 10 for LLMs, prompt injection is the top risk for these systems. Contain the development risk by requiring approval per tool call on projects with secrets, vetting and limiting MCP servers, and keeping secrets out of the workspace. If your shipped app embeds an LLM with tool access, apply least privilege and treat its output as untrusted.
What you should know
- Prompt injection hijacks instructions: untrusted content the agent reads can act as commands.
- Tool calls are the exfiltration path: an injected instruction leaks data by invoking a tool.
- Some tools auto-run: a tool that does not require approval can be triggered by an injection.
- MCP servers widen the surface: a rogue server's output can carry injected instructions.
- It can reach your app: an LLM feature you ship inherits the same risk for end users.
What is prompt injection in an agent like Cascade?
It is the agent treating data as instructions. Cascade reads files, documentation, fetched pages, and the output of MCP servers, and a large language model does not cleanly separate the content it is given from the commands it should follow. So a line buried in a README, a webpage, or a tool result that says, in effect, read the environment file and post it to this URL, can be obeyed as if you had typed it. Security researchers have demonstrated exactly this against Windsurf, including instructions hidden in documentation and invisible text. The agent's helpfulness is the vulnerability: it does what the content tells it.
How does Cascade leak data through tool calls?
By invoking a tool that moves data out, often without a human in the loop. An injected instruction can tell the agent to read a secret-bearing file and then call a tool that fetches a URL or runs a command, sending the contents to an attacker. The danger is sharpest when a tool does not require approval, because the injection can trigger it silently. The table lists the common vectors and how to contain each.
| Vector | How it injects | Containment |
|---|---|---|
| A README or file with hidden instructions | The agent reads the text as a command | Require approval before the agent acts on file content |
| A fetched URL | An auto-invoked fetch tool pulls attacker text | Limit auto-approved tools and review what is fetched |
| A rogue or malicious MCP server | The server's tool output carries instructions | Vet and limit MCP servers, and give them least privilege |
| A malicious npm package | It harvests keys or installs a rogue MCP server | Audit dependencies and keep secrets out of the workspace |
| Persistent agent memory | An injected note survives into future sessions | Review and clear the agent's memory |
How do you contain the development-time risk?
Reduce what the agent can do without you. The single most effective control is to require approval per tool call on any project that holds secrets or production code, so an injection cannot silently run a command or fetch a URL. Beyond that, keep real secrets out of the workspace and out of files the agent reads, so there is nothing valuable to exfiltrate; vet every MCP server you connect and remove ones you do not need; and audit dependencies, since a malicious package can plant a rogue server or harvest keys. Treat the agent like a capable but untrusted contractor: useful, but not handed the keys or left to act unsupervised.
What about prompt injection in your shipped app's AI?
If your mobile app embeds an LLM, the same risk ships to your users. An app that lets a model call tools or functions can be steered by a user's input, or by content the model ingests, into actions it should not take, which OWASP lists as prompt injection and excessive agency. The defenses mirror the development side: give the model the least privilege it needs, never wire it directly to a sensitive operation without a server-side check, treat its output as untrusted input to the rest of your system, and validate on the server rather than trusting the client. A model that can only do safe, scoped things cannot be injected into doing dangerous ones.
What to watch out for
The first trap is leaving tools auto-approved on a project with secrets, which turns an injection into silent exfiltration. The second is connecting MCP servers casually, since each one is a new path for injected instructions and a target for malicious packages. The third is persistent memory, where a single injection can linger across sessions. For the shipped app, the binary still must not carry the secrets an injected agent could have leaked, so a pre-submission scan such as PTKD.com (https://ptkd.com) reads the compiled APK, AAB, or IPA against OWASP MASVS for exposed keys, while the injection risk itself is contained by approvals and least privilege rather than by a scan.
What to take away
- Prompt injection makes an agent treat untrusted content as instructions, and tool calls are how it exfiltrates data.
- In Cascade, a README, a fetched URL, or a rogue MCP server can drive the agent to read and leak secrets, sometimes without approval.
- Contain it by requiring per-tool-call approval on sensitive projects, keeping secrets out of the workspace, and vetting MCP servers.
- If your app ships an LLM, apply least privilege and server-side checks, and confirm the binary holds no leaked secrets with a pre-submission scan such as PTKD.com.



