Table of Contents
Fetching ...

MCP-ITP: An Automated Framework for Implicit Tool Poisoning in MCP

Ruiqi Li, Zhiqiang Wang, Yunhao Yao, Xiang-Yang Li

TL;DR

The paper identifies implicit tool poisoning as a practical security risk in the Model Context Protocol (MCP), where malicious tool metadata can steer an agent to invoke legitimate high-privilege tools without ever executing the poisoned tool. It introduces MCP-ITP, an automated black-box optimization framework that uses an attacker LLM, a detector LLM, and an evaluator LLM to craft poisoned tool descriptions (splitting descriptions into camouflage content R and malicious content S) and iteratively optimize them via shadow queries. Experiments on the MCPTox dataset across 12 LLM agents show MCP-ITP substantially increases Attack Success Rate (ASR) up to 84.2% while keeping Malicious Tool Detection Rate (MDR) as low as 0.3%, outperforming manually crafted baselines. The results demonstrate a clear vulnerability in current MCP deployments and highlight the urgent need for defense mechanisms to mitigate implicit tool poisoning in tool-enabled AI systems.

Abstract

To standardize interactions between LLM-based agents and their environments, the Model Context Protocol (MCP) was proposed and has since been widely adopted. However, integrating external tools expands the attack surface, exposing agents to tool poisoning attacks. In such attacks, malicious instructions embedded in tool metadata are injected into the agent context during MCP registration phase, thereby manipulating agent behavior. Prior work primarily focuses on explicit tool poisoning or relied on manually crafted poisoned tools. In contrast, we focus on a particularly stealthy variant: implicit tool poisoning, where the poisoned tool itself remains uninvoked. Instead, the instructions embedded in the tool metadata induce the agent to invoke a legitimate but high-privilege tool to perform malicious operations. We propose MCP-ITP, the first automated and adaptive framework for implicit tool poisoning within the MCP ecosystem. MCP-ITP formulates poisoned tool generation as a black-box optimization problem and employs an iterative optimization strategy that leverages feedback from both an evaluation LLM and a detection LLM to maximize Attack Success Rate (ASR) while evading current detection mechanisms. Experimental results on the MCPTox dataset across 12 LLM agents demonstrate that MCP-ITP consistently outperforms the manually crafted baseline, achieving up to 84.2% ASR while suppressing the Malicious Tool Detection Rate (MDR) to as low as 0.3%.

MCP-ITP: An Automated Framework for Implicit Tool Poisoning in MCP

TL;DR

The paper identifies implicit tool poisoning as a practical security risk in the Model Context Protocol (MCP), where malicious tool metadata can steer an agent to invoke legitimate high-privilege tools without ever executing the poisoned tool. It introduces MCP-ITP, an automated black-box optimization framework that uses an attacker LLM, a detector LLM, and an evaluator LLM to craft poisoned tool descriptions (splitting descriptions into camouflage content R and malicious content S) and iteratively optimize them via shadow queries. Experiments on the MCPTox dataset across 12 LLM agents show MCP-ITP substantially increases Attack Success Rate (ASR) up to 84.2% while keeping Malicious Tool Detection Rate (MDR) as low as 0.3%, outperforming manually crafted baselines. The results demonstrate a clear vulnerability in current MCP deployments and highlight the urgent need for defense mechanisms to mitigate implicit tool poisoning in tool-enabled AI systems.

Abstract

To standardize interactions between LLM-based agents and their environments, the Model Context Protocol (MCP) was proposed and has since been widely adopted. However, integrating external tools expands the attack surface, exposing agents to tool poisoning attacks. In such attacks, malicious instructions embedded in tool metadata are injected into the agent context during MCP registration phase, thereby manipulating agent behavior. Prior work primarily focuses on explicit tool poisoning or relied on manually crafted poisoned tools. In contrast, we focus on a particularly stealthy variant: implicit tool poisoning, where the poisoned tool itself remains uninvoked. Instead, the instructions embedded in the tool metadata induce the agent to invoke a legitimate but high-privilege tool to perform malicious operations. We propose MCP-ITP, the first automated and adaptive framework for implicit tool poisoning within the MCP ecosystem. MCP-ITP formulates poisoned tool generation as a black-box optimization problem and employs an iterative optimization strategy that leverages feedback from both an evaluation LLM and a detection LLM to maximize Attack Success Rate (ASR) while evading current detection mechanisms. Experimental results on the MCPTox dataset across 12 LLM agents demonstrate that MCP-ITP consistently outperforms the manually crafted baseline, achieving up to 84.2% ASR while suppressing the Malicious Tool Detection Rate (MDR) to as low as 0.3%.
Paper Structure (27 sections, 6 equations, 5 figures, 2 tables, 1 algorithm)

This paper contains 27 sections, 6 equations, 5 figures, 2 tables, 1 algorithm.

Figures (5)

  • Figure 1: The workflow of MCP and MCP-ITP. During MCP registration, malicious instructions embedded in the poisoned tool description (e.g., qubit) are injected into the agent's context. As a result, the user query to read a file can be hijacked: the agent ignores the request and instead calls $write\_file$ to modify sensitive assets (e.g., SSH private key), creating a severe security risk.
  • Figure 2: The overview of MCP-ITP. It consists of three key components: an attacker LLM $L_A$ that iteratively optimizes poisoned tools, a malicious tool detector LLM $L_D$, and an effectiveness evaluator LLM $L_E$. Given an original tool $T_A$ and a target tool $T_G$, MCP-ITP crafts a poisoned tool $T_K$.
  • Figure 3: Detail results across different MCP Servers.
  • Figure 4: MDR results of MCP-ITP and MCPTox under different settings.
  • Figure 5: ASR under different optimization iterations and reasoning settings. (a) ASR optimization trends over multiple iteration TT for representative models on the Commander server. (b) ASR comparison between w/ and w/o reasoning for Qwen3 models of different scales.