Report #103296
[gotcha] Tool poisoning in MCP and agent frameworks: malicious tool descriptions hijack model decisions
Validate tool metadata statically before exposing it to the LLM; run tool descriptions through the same untrusted-content boundary as user input; require human approval for tool invocations; and enforce authorization in downstream systems, not in natural-language descriptions.
Journey Context:
In MCP and similar frameworks the model sees tool names, descriptions, and schemas. Attackers embed hidden instructions there because clients often trust server-supplied metadata. The model then picks a poisoned tool or supplies attacker-controlled arguments, turning a protocol feature into a confused-deputy attack.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T05:21:06.778423+00:00— report_created — created