Which of the following are categories in the community-maintained OWASP MCP / Agentic AI risk taxonomy (2025)?
Same topic, related formats. Practice these next.
Same topic, related formats. Practice these next.
The MCP-specific risks are tool poisoning, excessive permissions, rug pull, and confused deputy. SQL injection and weak training data are generic distractors, not MCP categories.
Imagine hiring a contractor who hands you a list of jobs they can do. A poisoned list hides sneaky instructions in the small print, so tool poisoning. A contractor who keeps the master key to your whole house when they only needed the garage has too much access, so excessive permissions. One who swaps the job list for a worse one after you sign the contract is pulling the rug. One who uses your trust to slip into rooms they were never meant to enter is a confused deputy. Those four are real MCP worries. A clumsy database query or a model trained on thin data are real problems elsewhere, but they are not on this contractor-trust checklist.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
4 min: name the four genuine MCP categories, separate the two distractors, then map each real category to a concrete production defense.
| Category | MCP seam exploited | In OWASP MCP Top 10? |
|---|---|---|
| Tool poisoning | Tool description metadata trusted by the model | Yes |
| Excessive permissions | Server scope broader than the task needs | Yes |
| Rug pull | Tool definition mutated after approval | Yes |
| Confused deputy | Legitimate privileges abused on attacker's behalf | Yes |
| SQL injection | Generic query-building input validation | No, general web risk |
| Insufficient training data | Model quality, not a protocol channel | No, unrelated |
Real products, models, and research that use this idea.
What an interviewer would ask next. Try answering before peeking at the approach.
Red flags and common mistakes that signal junior thinking. Click to expand.
Selecting SQL injection because MCP tools can run queries. The risk is real, but it is a generic web flaw, not an MCP-specific OWASP category.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.