In today’s newsletter:

• Integrate coding Agents into your workflows.

• Native RAG over video in just 5 lines of code!

• Tool poisoning attacks in MCPs.

Integrate Coding Agents into your workflows​

Using the ​Codegen SDK​, you can programmatically interact with your AI Coding Agents:

You can use it to:

• Assign tasks like implementing features, fixing bugs, writing tests, or improving documentation to the agent.

• Trigger agent tasks from your CI/CD pipelines, scripts, or other development tools.

• Supply the agent with specific instructions, relevant code snippets, or background information to ensure it performs tasks according to your requirements.

Essentially, the SDK allows you to leverage Codegen’s AI capabilities wherever you can run Python code.

​Here's the documentation to learn more →

Native RAG over Video in just 5 lines of code!

Most RAG systems stop at text.

But a lot of valuable context lives in spoken words and visuals like calls, interviews, demos, lectures, and it’s tough to build production-grade RAG solutions on them.

Here’s how you can do that in just 5 lines of code with Ragie:

RAG over videos

• Ingest .mp4, .wav, .mkv, or 10+ formats.

• Run a natural language query like “Moments when Messi scored a goal?”

• Get the exact timestamp + streamable clip that answers it.

Here’s one of our runs where we gave it a goal compilation video, and it retrieved the correct response:

• Top image: ARG vs CRO. It determined there’s a penalty and retrieved the score before and after the penalty.

• Bottom image: ARG vs MEX: It fetched the score before the goal and how the goal was scored accurately.

RAG over videos

Start building RAG over audio and video here →

Tool Poisoning Attacks in MCPs

MCP security is completely broken!

Today, let’s understand tool poisoning attacks and how to defend against them.

MCP allows AI agents to connect with external tools and data sources through a plugin-like architecture.

It's rapidly taking over the AI agent landscape with millions of requests processed daily.

But there's a serious problem...

Tool poisoning.

What is a Tool Poisoning Attack (TPA)?

When malicious instructions are hidden within MCP tool descriptions that are:

• Invisible to users

• Visible to AI models

These instructions trick AI models into unauthorized actions, unnoticed by users.

Here's how the attack works:

AI models see complete tool descriptions (including malicious instructions), while users only see simplified versions in their UI.

First, take a look at this malicious tool:

Let us quickly show you this attack in action by connecting this server to Cursor:

Now let's understand a few other ways these attacks can happen, and then we'll also talk about solutions…

Tool Hijacking Attacks

When multiple MCP servers are connected to the same client, a malicious server can poison tool descriptions to hijack the behavior of TRUSTED servers.

Here's an example of an email sending server hijacked by another server:

Take a look at these two MCP servers before we actually use them to demonstrate tool hijacking.

The add() tool in the second server secretly tries to hijack the operation of send email tool in the first server.

Let's see this in action by connecting the above two servers to Cursor:

MCP Rug Pulls

Even worse, malicious servers can change tool descriptions AFTER users have approved them.

Think of it like a trusted app suddenly becoming malware after installation.

This makes the attack even more dangerous and harder to detect.

Mitigation Strategies:

• Display full tool descriptions in the UI

• Pin (lock) server versions

• Isolate servers from one another

• Add guardrails to block risky actions

Until security issues are fixed, use MCPs with caution.

Part 6 and Part 7 of the MCP crash course explain testing, security and sandboxing in MCP Workflows (with implementation).

MCP crash course part 6 →

MCP crash course part 7 →

MCP crash course part 6

MCP crash course part 7

More specifically, they cover:

• What is testing in MCP, and how does the MCP Inspector help?

• Significance of security in MCP systems

• The key vulnerabilities in MCP

• Real-world threats like prompt injection, tool poisoning, server impersonation, and excessive capability exposure.

• How to define and enforce boundaries using MCP roots.

• Possible solutions to address the key threats

• What is sandboxing and why is it critical?

• Fully containerizing a FastMCP server using Docker

• How to enforce runtime limits and security boundaries with Docker flags?

• How to connect Claude Desktop, Cursor, and custom clients to sandboxed containers?

Thanks for reading!