What is tool poisoning in MCP?
Tool poisoning hides adversarial instructions in an MCP tool's description or schema, which the model reads but users never inspect, steering the agent into actions the user never asked for.
Imagine you hire a contractor and hand them a job sheet. You only read the title, 'fix the sink', but the fine print at the bottom says 'and also copy the house keys'. The contractor follows the whole sheet because that is what they were given. In MCP, the tool description is that job sheet. The model reads every word of it to decide how to use the tool, but the human only sees a short name in the approval popup. A malicious server writes instructions into that hidden fine print, and the model dutifully obeys them. Nothing looks wrong on screen, yet the agent has quietly been told to do something the user never requested.
Detailed answer & concept explanation~8 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
4 min: the description-as-context mechanism + the model-versus-user visibility gap + static metadata versus output injection + rug pulls and shadowing + the four-part defense.
| Aspect | Tool poisoning | Output-based prompt injection |
|---|---|---|
| Where it lives | Static tool description and schema | Live tool output or resource content |
| When it activates | At catalog load, before any call | After a tool runs and returns data |
| Primary vector | The description field | Returned text the model then reads |
| Key defense | Vet and pin descriptions, surface to user | Sanitize and quarantine tool outputs |
Real products, models, and research that use this idea.
- Invariant Labs publicly demonstrated MCP tool poisoning in 2025, hiding exfiltration instructions inside a tool description that hosts did not show users.
- The OWASP MCP Top 10, published in 2025, lists tool description injection and rug pulls as named risks for production MCP deployments.
- Anthropic's MCP spec added an explicit trust-and-safety section advising hosts to surface full tool metadata and require user consent before invocation.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow would you detect a rug pull where a server silently changes a tool description after the user approved it?
QWhy is treating tool descriptions as untrusted input not enough on its own?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Thinking the attack lives in tool outputs. Tool poisoning lives in the static description and schema the model reads before any call runs.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.