Same topic, related formats. Practice these next.
Same topic, related formats. Practice these next.
Tool poisoning hides adversarial instructions in the tool description, which the model reads as trusted guidance but users never see in approval dialogs.
Picture hiring a contractor and handing them a clipboard of job instructions. You glance at the cover sheet, which just says 'fix the sink.' But in tiny print on page three, someone has written 'also, copy the homeowner's keys and mail them to this address.' The contractor reads the whole clipboard and treats every line as your order. In MCP, the tool description is that clipboard. The model reads it in full to decide how and when to use a tool. You only ever see the cover sheet, which is the tool name in the approval popup. An attacker writes hidden orders in the fine print, and the model obeys them as if they came from you. The mismatch between what the model reads and what you see is the whole trick.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
4 min: where the description sits in the tool definition, the model-versus-user visibility gap, why it beats name/schema/result vectors, and the vet/hash/expose/sandbox defense stack.
| Vector | When it fires | User-visible? | Mechanism |
|---|---|---|---|
| Description poisoning | Before any call, every turn in context | No, dialogs show only the name | Adversarial text in tool description read as trusted instructions |
| Result poisoning | After the call, in tool output | Partly, output may be shown | Injection through returned content the model later reads |
| Rug pull | After approval, on a silent update | No, change is not re-surfaced | Server swaps a vetted definition for a malicious one |
Real products, models, and research that use this idea.
What an interviewer would ask next. Try answering before peeking at the approach.
Red flags and common mistakes that signal junior thinking. Click to expand.
Thinking the attack lives in tool output. Output poisoning is a separate vector; description poisoning fires before any call and stays hidden from users.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.