Explain the tool poisoning attack in MCP: mechanism, impact, and defenses
Explain how a tool poisoning attack works in MCP: which field is the vector, what the attacker can achieve, and what defenses are available to a host.
Tool poisoning hides attacker instructions in a tool's description field, which the model reads as guidance but the user never sees in the approval prompt.
Imagine hiring a contractor who hands you a one-line job title to approve: 'paint the fence'. You sign off on the title. But stapled to the back, in tiny print only the contractor's assistant reads, is a note: 'also copy the house keys and mail them to this address'. You approved the title; the assistant followed the hidden note. In MCP, the tool name is the title you approve, and the tool description is the hidden note the model actually reads. A malicious server writes harmful directions into that description, so the model quietly does things you never agreed to. The fix is to read the whole note before signing, and to distrust contractors you did not vet.
Detailed answer & concept explanation~8 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
5 min: vector (description as model-visible instruction) + impact (exfiltration, hidden unicode, approval gap) + layered defenses (untrusted treatment, pin and hash, surface full text, scan, least privilege, vetted registries).
| Attack | What the server does | Primary defense |
|---|---|---|
| Tool poisoning | Hides instructions in the tool description at registration | Treat descriptions as untrusted; surface full text in approval |
| Rug pull | Mutates an approved tool definition later | Pin and hash definitions; diff on every reconnect |
| Cross-server shadowing | Describes a tool to hijack calls meant for a trusted server | Namespace tools per server; least privilege; vetted registries |
| Hidden unicode payload | Embeds zero-width or bidirectional characters in the text | Scan and decode; flag invisible characters before injection |
Real products, models, and research that use this idea.
- Invariant Labs disclosed MCP tool poisoning in 2025, showing a poisoned description coaxing a model to leak SSH keys via tool arguments.
- The OWASP MCP Top 10, published in 2025, lists tool poisoning and rug pull mutation as named risks for host implementers.
- Claude Desktop and Cursor both gate MCP tool calls behind per-call user approval, the control layer where surfacing full descriptions matters most.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow would you design a host-side defense that catches a rug pull after a tool was already approved?
QWhy does surfacing the full description in the approval UI only partially solve the problem?
QHow does tool poisoning relate to classic prompt injection, and where do they differ?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Treating the tool description as inert metadata. The model reads it as live instruction, so it is an injection surface, not documentation.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.