MCP tool poisoning attacks exploit hidden malicious instructions embedded in Model Context Protocol tool metadata to manipulate AI agent behavior. Unlike traditional prompt injection, these attacks hide in tool descriptions and schemas that are automatically loaded into the model's context but remain invisible to users. The poisoned metadata can influence agent decision-making, cause cross-tool interference, and lead to data exfiltration or privilege escalation without ever invoking the compromised tool. Defense strategies include strict least-privilege access controls, MCP gateways for metadata verification, supply chain hardening, environment isolation, and model-level protections against indirect prompt injection.
Table of contents
What is a tool poisoning attack?How tool poisoning attacks workWhy MCP systems are uniquely exposedImpacts of MCP tool poisoning attacksHow to defend against tool poisoningMitigate tool poisoning attack threatsSort: