Agentic systems are getting wild and in Episode 6 of Breaking Point, I dive into a real desktop chatbot that uses the Model Context Protocol (MCP)… and show how metadata alone can bend the agent to my will.

This isn’t a jailbreak. It’s worse.

We’re talking indirect prompt injection. Influencing the agent not through what the user says… but through the tools it trusts. MCP promises “superpowers” for agents.

What it really unlocks? A much bigger attack surface.

In this episode I explore OmniChat Desktop, a weather-fetching app powered by third-party MCP servers — where simple tool descriptions look almost indistinguishable from system prompts.

And when an agent can’t tell data from instructions… you already know where this is going.

⚠️ No spoilers, but let’s just say metadata should not be trusted.