Papers
Topics
Authors
Recent
Search
2000 character limit reached

ShareLock: A Stealthy Multi-Tool Threshold Poisoning Attack Against MCP

Published 25 Jun 2026 in cs.CR and cs.AI | (2606.27027v1)

Abstract: With the rapid evolution of LLM-driven agents, Model Context Protocol (MCP), an open protocol bridging LLMs with external tools, has quickly become foundational to modern agent ecosystems. However, the expanding adoption of MCP has also introduced novel security concerns such as Tool Poisoning Attack (TPA), which exploit LLM-server interactions to inject malicious prompts. Existing poisoning schemes typically adopt a monolithic plaintext embedding paradigm, which fails to withstand manual inspection or automated detectors. Current research still lacks a systematic analysis on multi-tool poisoning, where multiple tools can be exploited cooperatively to disperse detection risk. In this paper, we introduce ShareLock, a multi-tool threshold poisoning framework that utilizes Shamir's threshold scheme to ensure exceptional stealth and fault tolerance. ShareLock distributes the malicious instruction as benign-looking secret shares across multiple tool descriptions, achieving both information-theoretic secrecy and attack robustness against moderate auditing. After a covert reconstruction trigger is planted during server update, the aggregated shares reconstruct the hidden instruction, resulting in critical breaches of system assets or private data. To evaluate the realistic threat of ShareLock, we constructed a comprehensive benchmark encompassing four multi-tool scenarios and conducted extensive experiments across mainstream LLMs on two distinct MCP clients. Our results demonstrate that ShareLock significantly outperforms existing single-tool poisoning strategies in tool description-based detection while maintaining an average attack success rate exceeding 90%.

Summary

  • The paper introduces a novel threshold-based poisoning attack that distributes malicious payloads across multiple MCP tools using Shamir’s secret sharing.
  • It demonstrates over 90% attack success and exceptional stealth by evading static and dynamic safety defenses in diverse tool-use scenarios.
  • The study underscores the need for dynamic, cryptography-aware detection methods to defend agentic LLM systems against distributed poisoning threats.

ShareLock: A Stealthy Multi-Tool Threshold Poisoning Attack Against MCP

Introduction and Problem Formulation

The Model Context Protocol (MCP) has been widely adopted to extend LLM-based agentic architectures with tool-use capabilities by bridging LLMs to external APIs and resources in a platform-agnostic manner. This flexible compositionality, while enhancing the breadth of AI functionalities, introduces a significant new attack surface: the tool poisoning attack (TPA). Existing TPAs are largely dominated by single-tool, plaintext prompt injection paradigms that are relatively easy to detect via static analysis (manual audits, rule-based scanners, or SFT-aligned safety guard models). The lack of systematic analysis for realistic, multi-tool poisoning attack modalities has resulted in a major blindspot in MCP security research.

This work introduces ShareLock, a multi-tool, threshold-based poisoning attack framework that leverages Shamir’s secret sharing to distribute a cryptographically obfuscated malicious payload across multiple tool descriptors. The key insight is that any tt out of nn of these shares enable lossless reconstitution of the malicious prompt at runtime, even if up to ntn-t compromised tools are omitted during moderate vetting. The framework thus achieves information-theoretic secrecy, fault tolerance, and considerably enhanced stealth over monolithic attack strategies. Figure 1

Figure 1: Overview of MCP workflow and tool poisoning attack mechanism.

Multi-Tool Threshold Attack Construction

ShareLock fundamentally alters TPA execution within MCP-based ecosystems by introducing a three-phase, threshold-cryptographic workflow:

  1. Initial Encoding Setup: The adversarial payload is mapped into a numerical domain via a bijective encoding (e.g., ASCII→Zp\mathbb{Z}_p).
  2. Benign-Share Generation: Via Shamir’s (t,n)(t, n) secret-sharing, each tool is seeded with a secret share camouflaged as innocuous metadata (e.g., tool IDs, checksums, policy strings), making individual audit trivial to evade.
  3. Trigger-Aware Reconstruction: A covert trigger (typically presented as a benign initialization tool during a server update) is used to orchestrate the collection and Lagrange-based reconstruction of the distributed payload during agent workflow execution. Only when tt shares are activated is the malicious routine injected into tool usage, enabling unauthorized actions with strong robustness guarantees. Figure 2

    Figure 2: ShareLock attack: malicious shares are embedded across tool metadata; upon trigger activation, sufficient shares reconstruct the adversarial prompt for execution.

Mechanistically, this architecture not only yields significant stealth—sub-tt auditing reveals no information about the underlying attack—but also ensures resilience: unless at least nt+1n-t+1 shares are neutralized, the attack is fully reconstructable.

Evaluation: Efficacy, Stealth, and Robustness

Extensive empirical validation was performed across multiple MCP agent platforms (Cherry Studio, Cline), leading LLMs (Gemini-2.5-Flash, DeepSeek-V3.1/V3.2, Qwen3-235B-Thinking), and four high-complexity multi-tool scenarios (Travel, Coding, Finance, Office). The results demonstrate average attack success rates (ASR) exceeding 90% with minimal user-perceptible workflow disruption (TCR ≈ 96%).

Table-based ablation against single-tool baselines (plaintext TPA, puppet/indirect, encode-only) reveals ShareLock’s consistently higher ASR and stealth, with baseline methods yielding ASR drops upwards of 40–60% on well-aligned models (e.g., Gemini-2.5-Flash). Critical failure mode analysis shows that ShareLock naturally circumvents efficiency-aligned models’ tendency to ignore monolithic adversarial payloads, as the stealthy, distributed chain-of-reasoning approach bypasses static safety guards.

Stealth Characterization and Adaptive Defenses

Stealth efficacy was systematically validated against state-of-the-art zero-shot LLM-based and supervised-finetuned (SFT) guard models. Plaintext baselines are consistently flagged as unsafe, directly mapped to high-severity hazard categories. In contrast, ShareLock’s distributed shares evade policy-based and entropy-based detectors, as payload entropy is diluted into the benign context and hash-like metadata. Tools embedding triggers (EnvSetup), except under the strongest models (Claude-Sonnet-4.5), are also mis-classified as safe due to lack of explicit harmful string patterns. Figure 3

Figure 3: ShareLock, unlike plaintext strategies, yields low threat scores in LLM-based safety classifiers across all hazard categories except for rare trigger detection by Claude.

Threshold Robustness and Parameter Sensitivity

Critical threshold properties are validated with (t=3,n=5)(t=3, n=5) ablation. As long as ktk \geq t, ASR remains maximal; only when nn0 does the attack deterministically fail, consistent with Shamir’s information-theoretic secrecy. ShareLock success exhibits temperature sensitivity: too much generation randomness (high temperature) increases workflow collapse, while sufficiently deterministic sampling ensures chaining and reconstruction coverage. Figure 4

Figure 4: ASR and TCR remain robust under partial tool loss for nn1, demonstrating fault tolerance; attack fails deterministically only for nn2.

Figure 5

Figure 5: Optimal attack efficacy is achieved at intermediate temperature; high randomness impairs attack chain reliability, collapsing both ASR and agent workflow (TCR) on most models.

Token Consumption and Practical Implications

ShareLock and encode-only attacks introduce measurable token overhead due to additional reconstruction and workflow steps, but such overhead is difficult to operationally isolate from benign complex workflows, limiting its utility as a defense. Figure 6

Figure 6: All poisoning strategies increase token usage, but ShareLock’s overhead is plausibly indistinguishable from benign, hash-intensive tool descriptors.

Limitations and Open Directions

  1. Prompt Engineering Dependency: ShareLock’s multi-step orchestration is inherently more fragile—decoding and trigger logic may fail due to prompt misalignment, model time-anxiety, or overzealous user-in-the-loop confirmation.
  2. Deployment Factors: Agent platforms implementing strict, stepwise access control or consent may disrupt attack execution but at the cost of agent autonomy and user convenience.
  3. Detection Gaps: Existing model-intrinsic guardrails and policy classifiers are insufficient for attacks leveraging distributed cryptographic dispersion and dynamic reconstruction.

Conclusion

ShareLock exposes critical weaknesses in the current MCP security model: protocol-level attacks that exploit threshold cryptography for robust, multi-tool poisoning circumvent static and dynamic safety defenses. The demonstrated information-theoretic secrecy, robust attack efficacy, and high stealth profile underscore the urgent need for cross-tool, context-aware, dynamic threat detection mechanisms in agentic LLM systems. Future defense research must accommodate the distributed and temporal nature of multi-tool orchestration attacks, moving beyond static pattern matching and isolated tool auditing paradigms.

Implications and Future Directions

The study highlights the necessity of research into cryptographically aware vetting, audit log correlation, and online anomaly detection for multi-agent toolflows. Further attention must be paid to dynamic protocol state, reconstruction triggers, and the integration of distributed provenance mechanisms capable of identifying malicious cross-tool payload reconstitution in-flight, given the severe resilience, stealth, and impact demonstrated here. Emerging agent platforms must abandon naive trust assumptions about tool descriptors in favor of compositional, context-dependent risk assessment for all protocol-activated resources.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.