This research examines how Model Context Protocol (MCP) tools expand the attack surface for autonomous agents, detailing exploit vectors such as tool poisoning, orchestration injection, and rug-pull redefinitions alongside practical defense strategies.

Preamble

Key takeaways

MCP tools overview

Tool definitions

How AI applications can use tools

Zero-shot detection with LLM prompting

Security risks of the MCP and tools

Traditional vulnerabilities

Tool poisoning

Overview

Example: database query

Example detection: database query

Data exfiltration via tool parameters

Example: formatting tool with a hidden context leak

Example detection: hidden context leak

Obfuscated prompt injection

Rug pull tool redefinitions

Implicit Tool Call

Example: silent manipulation of a trusted tool

Example detection: silent manipulation of a trusted tool

Orchestration injection

Tool name collision

Example: bypassing file access controls

Data poisoning for tool invocation

How the attack works

Implicit tool call in Multi-Server Environments

Example: coordinated exfiltration with pre-authorized tools

Security recommendations

Bringing it all together

References

An in-depth exploration of MCP tool exploitation techniques and security recommendations for safeguarding AI agents.

MCP Tools: Attack Vectors and Defense Recommendations for Autonomous Agents

Author

Carolina Beretta

Articles

MCP Tools: Attack Vectors and Defense Recommendations for Autonomous Agents