MCP-ITP: An Automated Framework for Implicit Tool Poisoning in MCP
Ruiqi Li, Zhiqiang Wang, Yunhao Yao, Xiang-Yang Li
TL;DR
The paper identifies implicit tool poisoning as a practical security risk in the Model Context Protocol (MCP), where malicious tool metadata can steer an agent to invoke legitimate high-privilege tools without ever executing the poisoned tool. It introduces MCP-ITP, an automated black-box optimization framework that uses an attacker LLM, a detector LLM, and an evaluator LLM to craft poisoned tool descriptions (splitting descriptions into camouflage content R and malicious content S) and iteratively optimize them via shadow queries. Experiments on the MCPTox dataset across 12 LLM agents show MCP-ITP substantially increases Attack Success Rate (ASR) up to 84.2% while keeping Malicious Tool Detection Rate (MDR) as low as 0.3%, outperforming manually crafted baselines. The results demonstrate a clear vulnerability in current MCP deployments and highlight the urgent need for defense mechanisms to mitigate implicit tool poisoning in tool-enabled AI systems.
Abstract
To standardize interactions between LLM-based agents and their environments, the Model Context Protocol (MCP) was proposed and has since been widely adopted. However, integrating external tools expands the attack surface, exposing agents to tool poisoning attacks. In such attacks, malicious instructions embedded in tool metadata are injected into the agent context during MCP registration phase, thereby manipulating agent behavior. Prior work primarily focuses on explicit tool poisoning or relied on manually crafted poisoned tools. In contrast, we focus on a particularly stealthy variant: implicit tool poisoning, where the poisoned tool itself remains uninvoked. Instead, the instructions embedded in the tool metadata induce the agent to invoke a legitimate but high-privilege tool to perform malicious operations. We propose MCP-ITP, the first automated and adaptive framework for implicit tool poisoning within the MCP ecosystem. MCP-ITP formulates poisoned tool generation as a black-box optimization problem and employs an iterative optimization strategy that leverages feedback from both an evaluation LLM and a detection LLM to maximize Attack Success Rate (ASR) while evading current detection mechanisms. Experimental results on the MCPTox dataset across 12 LLM agents demonstrate that MCP-ITP consistently outperforms the manually crafted baseline, achieving up to 84.2% ASR while suppressing the Malicious Tool Detection Rate (MDR) to as low as 0.3%.
