Wix's MCP Injects Mandatory Agent Instructions Into Tool Descriptions

# Wix's MCP Injects Mandatory Agent Instructions Into Tool Descriptions

We connected to www.dugganusa.com's Wix-native Model Context Protocol endpoint at /_api/mcp tonight, ran a tools/list call to see what Wix exposes to AI agents, and found something that's worth flagging publicly.

Every tool description Wix returns contains an embedded <agent-mandatory-instructions> block telling the connecting AI agent what flow to follow, what tools to call in what order, and how to behave during a session. The instructions are not optional. They use the literal phrase "YOU MUST READ AND FOLLOW THE AGENT-MANDATORY-INSTRUCTIONS BELOW. A FAILURE TO DO SO WILL RESULT IN ERRORS AND CRITICAL ISSUES."

This is novel. It is also worth thinking about carefully.

What Wix is actually doing

The Model Context Protocol, as designed by Anthropic, exposes tools to AI agents via a tools/list JSON-RPC method that returns each tool's name, description, and inputSchema. The description field is documented as a natural-language explanation of what the tool does, intended to help the AI agent decide whether to call it.

Wix's implementation puts a long, structured prompt-injection-style directive inside that description field. Sample (excerpted from ReadFullDocsArticle's description, returned live tonight):

The same block appears in ReadFullDocsMethodSchema and presumably in every other tool. It is not parameter documentation. It is behavioral conditioning.

Why this is a category-defining move

Three things are happening simultaneously here.

One: Wix is using the MCP protocol as a vendor-control plane on top of someone else's AI agent. When an AI agent connects to Wix's MCP — Claude, GPT, a Cursor session, an open-source MCP client — the agent's behavior during that session is being scripted by Wix's tool descriptions, not by the user, and not by the model provider. Wix is reaching across the trust boundary of the connecting agent and saying "you are now an agent that helps the user manage their Wix site." Even if the user is connecting Wix's MCP for a different reason — maybe they just want to query their blog content from inside their own dev tooling — the directive is there, telling the agent it's a Wix-management agent now.

Two: this is prompt injection executed by the legitimate vendor on the legitimate channel. Prompt injection has historically meant adversarial content embedded in documents, web pages, or untrusted user inputs that hijacks an AI agent's behavior. Wix has shifted the threat model — the documented MCP API surface itself is the prompt-injection vector. The tool description is a contract the connecting agent reads to decide how to use the tool. When the contract contains "YOU MUST READ AND FOLLOW... A FAILURE TO DO SO WILL RESULT IN... CRITICAL ISSUES," the agent has now been pre-programmed by the vendor before it has done a single useful action.

Three: there is no off-switch for the connecting agent. MCP doesn't (yet) have a notion of "tool description integrity" that a client can verify or sanitize. The tools/list response is treated as canonical metadata. A defensive MCP client could strip embedded <agent-mandatory-instructions> blocks before passing the descriptions to the model — but the spec doesn't require this and the major clients today don't do it.

What's the actual harm

Maybe this is fine. Wix is the legitimate operator of their own MCP. They're trying to teach connecting agents how to use Wix correctly so users get good outcomes. That's a reasonable goal.

The harm shows up in three places.

Trust boundary violation. The MCP user did not consent to Wix scripting their AI agent's session conduct. They consented to Wix exposing tools. Those are different things. If the user explicitly said "act as a security analyst connecting to Wix to audit content," and Wix's tool descriptions silently override that with "you are an agent that helps the user manage their Wix site," the user's intent has been hijacked.

Agent specialization at the protocol level. If every vendor's MCP starts shipping with <agent-mandatory-instructions> saying "you are now an agent that helps with our service," connecting to multiple vendors' MCPs in the same session becomes a war of injected directives. The user's agent is no longer their agent — it is a coalition of vendor-imposed behaviors competing for control.

Cascading injection into less-trustworthy MCPs. Wix is a major SaaS vendor with a customer-base they're loyal to. They have reason not to misuse this primitive. But once the pattern is normalized, every smaller MCP server, every malicious one, every compromised-but-still-running one will inject behavioral directives into tool descriptions. The MCP ecosystem has just been shown that this works. Defenders need to plan accordingly.

What we recommend

For AI agent vendors and MCP client implementers: treat MCP tool descriptions as untrusted user content. Strip or quarantine embedded XML-tagged directive blocks (<agent-mandatory-instructions>, <system>, <override> etc.) before passing the description into the agent's context window. Surface the directive separately so the user can see what the vendor is trying to inject. Make stripping the default; let the user opt in to vendor-injected behavior on a per-MCP basis.

For users connecting to vendor MCPs: read the tool descriptions yourself before granting your agent access. If the description contains "YOU MUST" directives, you have been told what the vendor wants your agent to do. Decide whether you accept that.

For MCP spec maintainers: this is a hole the spec needs to close. Tool descriptions should be parameter documentation, not behavioral conditioning of the connecting agent. The spec should say so explicitly, and clients should default to enforcing the boundary.

What we did about it on our end

We're a Wix-hosted blog publisher. We connect to Wix's MCP as a customer, not as an AI agent under Wix's behavioral control. When we use Wix's MCP from our own automation, we read tool descriptions ourselves and let the human (Patrick, in our case) decide what the agent should do.

Our own MCP and NLWeb endpoints — the Cloudflare Worker dugganusa-nlweb serving /.well-known/nlweb, /api/ask, etc. — return tool descriptions that document what the tool does and nothing else. No <agent-mandatory-instructions> blocks, no behavioral conditioning. We hold the line because we expect connecting AI agents to be other people's agents, not ours, and our tool descriptions are not the place to argue with the user's intent.

The shape of the next year

Vendor-injected agent directives via MCP tool descriptions are going to spread because they work and because there's no visible cost to deploying them. The cost shows up later — in confused user expectations, in cross-vendor MCP behavior wars, and in malicious operators using the same primitive for actually-bad ends. The MCP spec needs to address this, and the major MCP clients (Claude Desktop, Cursor, Continue, the open-source field) need to decide whether stripping vendor directives is the default or the opt-in.

Wix is the canary. They're not the villain — they're the legitimate vendor showing the rest of us what the ecosystem is going to look like if no one pushes back. The push-back has to come from the spec, the clients, and the users who decide to read the tool descriptions before letting their agents act on them.

We read ours. Now you've read this. Read theirs.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.