Skip to main content

MCP Tool Poisoning

MCP Tool Poisoning

Table of Contents

Quick Answer

MCP tool poisoning happens when an AI agent is influenced by unsafe tool descriptions, parameter schemas, updates, or results. Defenses include trusted registries, pinned definitions, schema review, tool namespaces, argument validation, least privilege, sandboxing, approval gates, monitoring, and rapid revocation.

What Is MCP Tool Poisoning?

MCP tool poisoning is a security risk in which untrusted or changed tool metadata influences an AI agent's decisions. A description may overstate safety, a schema may hide important effects, a duplicate tool may confuse selection, or a tool result may contain instructions that the model treats as authority.

The key defensive principle is simple: tool metadata and output are data, not policy. A trusted application must decide which tools exist, who may use them, which arguments are allowed, and whether the exact requested action is safe.

How the Risk Reaches an AI Agent

Tool poisoning influences the context used to form an action. The model can propose a tool and arguments, but execution must remain behind a deterministic gateway that rechecks identity, authorization, resources and business rules.

Risk path
  1. 1 Tool metadata or result changes Description, schema, update or output
  2. 2 Untrusted content enters context The agent reads it as task input
  3. 3 The model proposes a tool action Selection and arguments are still untrusted

Control boundary

Deterministic policy gateway Identity · authorization · arguments · target resource · business rules
Controlled outcome
AllowLow-risk action passes policy
Human approvalImpact requires explicit confirmation
Block and alertPolicy or trust check fails

The model may propose an action; policy decides whether it executes.

The unsafe content can influence a proposed action, but a deterministic policy gateway must decide whether that action is allowed to execute.

Types of MCP Tool Poisoning

TypeMeaningDefensive control
Description poisoningUnsafe instructions are hidden in a tool descriptionReview and sanitize metadata
Schema poisoningParameters misrepresent behavior or impactPin and diff schemas
Tool shadowingA duplicate or confusing tool influences use of a trusted toolNamespaces and registry controls
Rug pullA previously trusted server changes after approvalSigned versions and change approval
Result poisoningTool output contains manipulative instructionsTreat results as untrusted data
Cross-server interferenceOne server affects how another server is usedIsolate trust domains
RiskPrimary target
Direct prompt injectionUser prompt
Indirect prompt injectionExternal content
MCP tool poisoningTool metadata, schemas or results
Supply-chain compromiseTool package, server or dependency
Tool misuseA legitimate tool used for an unsafe action

Why Tool Schemas Matter

A model uses names, descriptions, parameter types and examples to decide when and how to call a tool. That makes schema review a security task. Pin approved schemas, compare changes, verify high-impact parameters, and keep authorization outside the model.

A prompt that tells an agent to use tools safely is not a deterministic control. Required controls include tool allowlists, user and resource authorization, argument validation, business-rule checks, rate limits, approval gates, execution sandboxing, and audit logs.

Defensive Tool Trust Lifecycle

Lifecycle stageRequired check
DiscoverApproved registry, owner and purpose
InstallSignature, package and dependency review
ApproveExact tools, scopes and data access
ExecuteArguments, identity and resource authorization
UpdateDefinition, schema and permission diff
MonitorUnusual calls, output and policy failures
RetireCredential revocation and server removal

Approval and change review

Can This Tool Be Trusted?

Use this review before approval and after every meaningful update. A familiar name or previously safe version is not enough when definitions, permissions, dependencies or runtime behavior can change.

  1. Ownership and provenance

    Know who publishes and maintains the server or package.

    Verify
    • Use an approved source.
    • Record the owner and version.
    • Avoid anonymous or unverifiable components for sensitive work.
  2. Requested permissions

    Understand every file, API, resource and action the tool can reach.

    Verify
    • Prefer narrow read-only access.
    • Separate destructive actions.
    • Review any scope increase.
  3. Description and schema

    Compare the stated purpose with actual runtime behavior.

    Verify
    • Pin definitions.
    • Diff tool schemas.
    • Reject vague or overly broad parameters.
  4. Execution environment

    Contain the impact if the tool behaves incorrectly.

    Verify
    • Sandbox processes.
    • Restrict outbound destinations.
    • Limit filesystem and secret access.
  5. Update and revocation

    Trust must be reviewed continuously, not only at installation.

    Verify
    • Require change approval.
    • Detect rug pulls.
    • Support fast disable and credential revocation.
ApproveEvidence supports the intended, least-privilege use.
RestrictReduce scope, isolate execution or require approval.
RejectOwnership, behavior or revocation controls are unclear.

MCP Tool Poisoning Prevention Checklist

  • Allow tools only from approved, attributable sources.
  • Pin versions and compare descriptions, schemas and permissions before updates.
  • Use unique namespaces so one server cannot silently shadow another tool.
  • Validate every outbound argument against strict schemas and business rules.
  • Recheck user, tenant and resource authorization at execution time.
  • Treat tool results as untrusted content.
  • Sandbox local servers and restrict filesystem, process and network access.
  • Require approval for payment, deletion, privilege, communication and other sensitive actions.
  • Log tool discovery, approval, calls, results and definition changes.
  • Keep a tested disable and credential-revocation path.

Recent security research has also described broader MCP risks such as conversation hijacking and resource abuse. The practical response is layered control around identity, tools, data, execution and monitoring rather than reliance on model instructions alone.

Explore AI Security Topics

FAQs

MCP tool poisoning is a risk where unsafe or misleading tool descriptions, schemas, updates, or results influence how an AI agent selects or uses a tool.

It is commonly treated as an indirect prompt-injection risk because untrusted instructions can reach the model through tool metadata or results rather than the user prompt.

Schema poisoning happens when a tool parameter schema or description misrepresents the tool behavior, hides important effects, or changes after approval.

Tool shadowing occurs when a malicious or confusing tool influences how an agent uses another trusted tool, often through naming, descriptions, or cross-server context.

Yes. Definitions, schemas, dependencies, permissions, or runtime behavior can change. Pin versions, review diffs, monitor updates, and require reapproval for meaningful changes.

Use approved registries, verify ownership, pin versions, review descriptions and schemas, validate arguments and authorization outside the model, isolate trust domains, monitor calls, and require approval for sensitive actions.

Sources and further reading