mcp-attack-labs exposes local RAG poisoning

This is a sharp reminder that local RAG is not inherently safer just because it runs on your laptop. The weak point is the write path, and once poisoned context is retrieved, the model will often trust it more than the original source.

• –Standard 512-token chunks with 200-token overlap increase retrieval chances for boundary-spanning poison.
• –The attack needs no jailbreak, no API access, and no model compromise, just write access to the collection.
• –Output monitoring is too late; the damage is already baked into the context window.
• –Embedding anomaly detection at ingestion was the strongest single defense in the lab, cutting success from 95% to 20%.
• –Even with five layers active, the residual 10% shows semantically clean attacks can still slip through.