Same topic, related formats. Practice these next.
Same topic, related formats. Practice these next.
Tool poisoning hides adversarial instructions in an MCP tool's description or schema, which the model reads but users never inspect, steering the agent into actions the user never asked for.
Imagine you hire a contractor and hand them a job sheet. You only read the title, 'fix the sink', but the fine print at the bottom says 'and also copy the house keys'. The contractor follows the whole sheet because that is what they were given. In MCP, the tool description is that job sheet. The model reads every word of it to decide how to use the tool, but the human only sees a short name in the approval popup. A malicious server writes instructions into that hidden fine print, and the model dutifully obeys them. Nothing looks wrong on screen, yet the agent has quietly been told to do something the user never requested.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
4 min: the description-as-context mechanism + the model-versus-user visibility gap + static metadata versus output injection + rug pulls and shadowing + the four-part defense.
| Aspect | Tool poisoning | Output-based prompt injection |
|---|---|---|
| Where it lives | Static tool description and schema | Live tool output or resource content |
| When it activates | At catalog load, before any call | After a tool runs and returns data |
| Primary vector | The description field | Returned text the model then reads |
| Key defense | Vet and pin descriptions, surface to user | Sanitize and quarantine tool outputs |
Real products, models, and research that use this idea.
What an interviewer would ask next. Try answering before peeking at the approach.
Red flags and common mistakes that signal junior thinking. Click to expand.
Thinking the attack lives in tool outputs. Tool poisoning lives in the static description and schema the model reads before any call runs.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.