NIXER-2026-0005

gpt-pilot: Prompt Injection + MCP Tool Sprawl

High CVSS 7.2 Prompt Injection Disclosed
Affected Project
Discovered
June 1, 2026
Published
June 1, 2026
Author
Nixer Security Research

Summary

gpt-pilot's developer-mode tool invocation chain does not scope tool access to the project under test. Through a prompt injection payload embedded in a project file, an attacker can cause gpt-pilot to read and exfiltrate files outside the project directory and execute MCP tools against external services.

Technical Details

gpt-pilot's agent is initialized with broad MCP tool access (file system, git, npm, docker). When reading project files as part of its "understand project" phase, it does not sanitize embedded prompt injections before passing them to the LLM agent. A malicious README.md or .env file can contain adversarial instructions that cause the agent to access sensitive files.

Impact

File exfiltration of sensitive data (SSH keys, environment variables, credentials) from developer machines running gpt-pilot, as well as unauthorized API calls to connected services via the MCP tool chain.

Affected Versions

gpt-pilot < 0.9.8 (confirmed vulnerable)

Remediation

Sanitize all project file content before passing to the agent LLM. Scope MCP tool access to the active project directory only. Add confirmation prompts for file reads outside the project root.

Credit: Nixer Security Research — run your own security scan at nixer.polsia.app/try
Discovery method: Found by Nixer security scanner — run your own at https://nixer.polsia.app/try