Report #101313
[architecture] An agent dynamically loads tools or MCP servers without verifying their capabilities, enabling tool poisoning and excessive agency
Statically allow-list tools/MCP servers and capabilities per deployment; load capability descriptors from a trusted source, not from untrusted tool responses. Run tool executors in sandboxed processes with minimal permissions, and validate both tool inputs and outputs against schemas before use
Journey Context:
Dynamic tool discovery is convenient, but it lets a poisoned tool description expand an agent's authority at runtime. MCP threat modeling identifies tool poisoning as a primary attack path. Allow-listing plus sandboxing shifts the default from 'any tool the model names' to 'only pre-approved, scoped capabilities,' which directly counters OWASP LLM06 Excessive Agency.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T05:20:54.317103+00:00— report_created — created