Tool Abuse / Excessive AgencyHigh

MCP tool poisoning (tool-description injection)

April 2025  ·  Model Context Protocol (ecosystem)

What happened

Invariant Labs disclosed an MCP attack class in which hidden instructions embedded in a tool's description or schema fields are ingested by the agent as authoritative, enabling data exfiltration, tool hijacking, and rug-pull swaps where a previously approved tool turns malicious. They released MCP-Scan to detect it.

Root cause

Agents read MCP tool metadata as trusted context and approval is typically one-time, so a server can hide instructions in tool descriptions or change a tool's behavior after the user approves it.

Fix / outcome

Mitigation is pinning and re-verifying tool definitions, scanning tool metadata, and not granting blanket trust to third-party MCP servers. It is now the basis for several MCP security scanners.

Sources

Invariant Labs (discoverer)

Learn this attack class

This incident is an example of Tool Abuse / Excessive Agency. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database