Report #101201
[gotcha] Tool descriptions in MCP are rendered into the LLM system context and can carry hidden instructions
Treat tool metadata as untrusted input: scan descriptions for injection patterns, pin and hash tool definitions, require human approval for sensitive invocations, and never let a description alone authorize destructive actions.
Journey Context:
Unlike a traditional API schema, an MCP tool description is not passive documentation; it is read by the model and directly influences tool selection and parameter construction. Researchers have shown that a poisoned description can instruct the model to exfiltrate private keys as a \`note\` argument or to call a different tool. Many developers install third-party servers without inspecting descriptions. The fix is not a bigger prompt; it is to validate the metadata supply chain and gate high-impact tools independently of what the description says.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T05:09:04.641433+00:00— report_created — created