ANSI Escape Code Injection in Agent Output is the attack where MCP tool results or LLM-generated output contain ANSI terminal control sequences that manipulate what the user sees in their terminal-based MCP host. Tools like Claude Code, Cursor’s terminal mode, and CLI MCP clients render output to a real terminal that interprets escape codes. Attackers can hide text, fake confirmation prompts, overwrite previous lines, clear the screen, or change colors to disguise malicious output as benign. The attack is well-known in the broader terminal security space, but it’s particularly nasty in agentic contexts where users skim output between tool calls.
How ANSI Escape Code Injection Works
A malicious MCP server returns a tool result containing ANSI escape codes. Example: the sequence “\x1b[2K\x1b[1A” clears the current line and moves the cursor up, letting the attacker overwrite a previous output line with new content. More dangerous variants include “\x1b]2;safe-looking-title\x07” to spoof the terminal title bar, hidden text rendered in matching foreground and background colors, fake interactive prompts that look like the agent is asking for confirmation, and cursor manipulation that hides destructive commands inline with normal output. The user reads what looks like a clean log and misses the malicious content entirely.
Certified MCP Security Expert
Attack, defend, and pen test MCP servers in 30+ hands-on labs. Get certified.
Why ANSI Injection Hits Terminal-Based Agents Hard
Agentic CLI tools like Claude Code give the LLM significant power to chain tool calls and execute commands. Users typically skim the output stream rather than reading every line carefully, trusting the agent to surface anything important. ANSI escape codes turn that trust against the user. A poisoned tool result can make a successful exfiltration look like a failed read. It can spoof an approval prompt that the user answers without realizing they’re approving an agent-issued action. Modern terminals respect escape codes by default, so the attack works without any additional setup on the attacker’s side.
How to Detect and Stop ANSI Escape Code Injection
Strip all ANSI escape sequences from MCP tool results before rendering them to the terminal, unless the tool explicitly needs to emit them. Configure terminal emulators to ignore unsafe escape sequences like cursor manipulation and title bar updates. Render agent output to a sandboxed view that strips control characters by default. Apply output filters at the host level, not at the server level, so every server’s output gets the same treatment. The Certified MCP Security Expert (CMCPSE) certification covers ANSI injection with hands-on terminal hardening labs.
Summary
ANSI Escape Code Injection in Agent Output abuses terminal control sequences to hide, overwrite, or spoof MCP agent output, turning ordinary CLI hosts into a deception channel. Strip escape codes at the host layer and render output in sandboxed views to break the attack. The Certified MCP Security Expert (CMCPSE) certification trains engineers to harden terminal-based MCP clients against this overlooked attack class.