Summary from www.cyberark.com

The Model Context Protocol (MCP) for LLM tool integration is highly susceptible to sophisticated “tool poisoning” attacks—far beyond just the tool description field—making every part of the tool schema and output a potential security risk.

Tool Poisoning Attacks (TPA) can exploit any part of the MCP tool schema, not just descriptions; attackers can inject malicious prompts into parameter names, types, required fields, or even tool outputs.
Advanced Tool Poisoning Attacks (ATPA) manipulate dynamic tool outputs, like error messages, to trigger LLMs into leaking sensitive data—these attacks are subtle and hard to detect.
Effective mitigation requires zero-trust principles: comprehensive static/dynamic validation, strict client enforcement, runtime auditing, and heightened LLM skepticism toward tool outputs.

Demonstrations show LLMs acting on instructions hidden in innocuous schema fields or tool outputs, not just obvious descriptions.
Attackers can leverage behavioral triggers that only activate in production, making malicious actions nearly invisible in testing.
Even parameter names or extra, undocumented schema fields can act as undetectable attack vectors.

“Every part of the tool schema is a potential injection point, not just the description.”
“The entire tool schema is part of the LLM’s context window and thus part of its reasoning.”
“Defending against these advanced threats requires a paradigm shift from a model of qualified trust...to one of zero-trust for all external tool interactions.”

Source URL•Original: 5517 words•Summary: 239 words