Prompt injection is the main risk
The client acting on your behalf is an LLM, so content it reads — a conversation transcript, a knowledge base topic, a tool result — can contain instructions that try to redirect it. Assume any text the model ingests could attempt to trigger a tool call you didn’t intend. The mitigations below limit the blast radius when it does.Recommendations
Use least-privilege keys
Use least-privilege keys
Create an API key with the minimum permissions and agent scope the task needs. A key that only needs to read conversations shouldn’t be able to publish. Scope keys to specific agents where possible, and use separate keys for read-only versus build workflows.
Keep keys out of prompts
Keep keys out of prompts
Store the API key in your client’s secret settings or environment — never paste it into a chat message. Anything typed into the conversation can end up in logs or model context.
Prefer read-first workflows
Prefer read-first workflows
Fetch and confirm the current state of a resource before you update or delete it. “Show me the agent’s current behavior rules” before “update them” prevents the model from acting on stale assumptions.
Review destructive actions
Review destructive actions
Tools that delete, publish, promote, or roll back should require explicit user intent. Enable confirm before running tools in your MCP client so these are never executed silently, and read the deployment steps before promoting to production.
Be careful with PII in transcripts
Be careful with PII in transcripts
Conversation data and transcripts may contain personal or sensitive information. Don’t pull full transcripts into the model’s context unless you need them — retrieve only the fields required, and avoid echoing sensitive values back into the chat. See Compliance for how PolyAI handles call data.
Restrict the tool surface
Where a client only needs a subset of tools, expose only those using thetools query parameter on the endpoint URL — see Capabilities → Limiting which tools are exposed. A read-only analysis client should never be handed create, publish, or delete tools in the first place.
