- The paper introduces a novel threshold-based poisoning attack that distributes malicious payloads across multiple MCP tools using Shamir’s secret sharing.
- It demonstrates over 90% attack success and exceptional stealth by evading static and dynamic safety defenses in diverse tool-use scenarios.
- The study underscores the need for dynamic, cryptography-aware detection methods to defend agentic LLM systems against distributed poisoning threats.
The Model Context Protocol (MCP) has been widely adopted to extend LLM-based agentic architectures with tool-use capabilities by bridging LLMs to external APIs and resources in a platform-agnostic manner. This flexible compositionality, while enhancing the breadth of AI functionalities, introduces a significant new attack surface: the tool poisoning attack (TPA). Existing TPAs are largely dominated by single-tool, plaintext prompt injection paradigms that are relatively easy to detect via static analysis (manual audits, rule-based scanners, or SFT-aligned safety guard models). The lack of systematic analysis for realistic, multi-tool poisoning attack modalities has resulted in a major blindspot in MCP security research.
This work introduces ShareLock, a multi-tool, threshold-based poisoning attack framework that leverages Shamir’s secret sharing to distribute a cryptographically obfuscated malicious payload across multiple tool descriptors. The key insight is that any t out of n of these shares enable lossless reconstitution of the malicious prompt at runtime, even if up to n−t compromised tools are omitted during moderate vetting. The framework thus achieves information-theoretic secrecy, fault tolerance, and considerably enhanced stealth over monolithic attack strategies.
Figure 1: Overview of MCP workflow and tool poisoning attack mechanism.
ShareLock fundamentally alters TPA execution within MCP-based ecosystems by introducing a three-phase, threshold-cryptographic workflow:
- Initial Encoding Setup: The adversarial payload is mapped into a numerical domain via a bijective encoding (e.g., ASCII→Zp).
- Benign-Share Generation: Via Shamir’s (t,n) secret-sharing, each tool is seeded with a secret share camouflaged as innocuous metadata (e.g., tool IDs, checksums, policy strings), making individual audit trivial to evade.
- Trigger-Aware Reconstruction: A covert trigger (typically presented as a benign initialization tool during a server update) is used to orchestrate the collection and Lagrange-based reconstruction of the distributed payload during agent workflow execution. Only when t shares are activated is the malicious routine injected into tool usage, enabling unauthorized actions with strong robustness guarantees.
Figure 2: ShareLock attack: malicious shares are embedded across tool metadata; upon trigger activation, sufficient shares reconstruct the adversarial prompt for execution.
Mechanistically, this architecture not only yields significant stealth—sub-t auditing reveals no information about the underlying attack—but also ensures resilience: unless at least n−t+1 shares are neutralized, the attack is fully reconstructable.
Evaluation: Efficacy, Stealth, and Robustness
Extensive empirical validation was performed across multiple MCP agent platforms (Cherry Studio, Cline), leading LLMs (Gemini-2.5-Flash, DeepSeek-V3.1/V3.2, Qwen3-235B-Thinking), and four high-complexity multi-tool scenarios (Travel, Coding, Finance, Office). The results demonstrate average attack success rates (ASR) exceeding 90% with minimal user-perceptible workflow disruption (TCR ≈ 96%).
Table-based ablation against single-tool baselines (plaintext TPA, puppet/indirect, encode-only) reveals ShareLock’s consistently higher ASR and stealth, with baseline methods yielding ASR drops upwards of 40–60% on well-aligned models (e.g., Gemini-2.5-Flash). Critical failure mode analysis shows that ShareLock naturally circumvents efficiency-aligned models’ tendency to ignore monolithic adversarial payloads, as the stealthy, distributed chain-of-reasoning approach bypasses static safety guards.
Stealth Characterization and Adaptive Defenses
Stealth efficacy was systematically validated against state-of-the-art zero-shot LLM-based and supervised-finetuned (SFT) guard models. Plaintext baselines are consistently flagged as unsafe, directly mapped to high-severity hazard categories. In contrast, ShareLock’s distributed shares evade policy-based and entropy-based detectors, as payload entropy is diluted into the benign context and hash-like metadata. Tools embedding triggers (EnvSetup), except under the strongest models (Claude-Sonnet-4.5), are also mis-classified as safe due to lack of explicit harmful string patterns.
Figure 3: ShareLock, unlike plaintext strategies, yields low threat scores in LLM-based safety classifiers across all hazard categories except for rare trigger detection by Claude.
Threshold Robustness and Parameter Sensitivity
Critical threshold properties are validated with (t=3,n=5) ablation. As long as k≥t, ASR remains maximal; only when n0 does the attack deterministically fail, consistent with Shamir’s information-theoretic secrecy. ShareLock success exhibits temperature sensitivity: too much generation randomness (high temperature) increases workflow collapse, while sufficiently deterministic sampling ensures chaining and reconstruction coverage.
Figure 4: ASR and TCR remain robust under partial tool loss for n1, demonstrating fault tolerance; attack fails deterministically only for n2.
Figure 5: Optimal attack efficacy is achieved at intermediate temperature; high randomness impairs attack chain reliability, collapsing both ASR and agent workflow (TCR) on most models.
Token Consumption and Practical Implications
ShareLock and encode-only attacks introduce measurable token overhead due to additional reconstruction and workflow steps, but such overhead is difficult to operationally isolate from benign complex workflows, limiting its utility as a defense.
Figure 6: All poisoning strategies increase token usage, but ShareLock’s overhead is plausibly indistinguishable from benign, hash-intensive tool descriptors.
Limitations and Open Directions
- Prompt Engineering Dependency: ShareLock’s multi-step orchestration is inherently more fragile—decoding and trigger logic may fail due to prompt misalignment, model time-anxiety, or overzealous user-in-the-loop confirmation.
- Deployment Factors: Agent platforms implementing strict, stepwise access control or consent may disrupt attack execution but at the cost of agent autonomy and user convenience.
- Detection Gaps: Existing model-intrinsic guardrails and policy classifiers are insufficient for attacks leveraging distributed cryptographic dispersion and dynamic reconstruction.
Conclusion
ShareLock exposes critical weaknesses in the current MCP security model: protocol-level attacks that exploit threshold cryptography for robust, multi-tool poisoning circumvent static and dynamic safety defenses. The demonstrated information-theoretic secrecy, robust attack efficacy, and high stealth profile underscore the urgent need for cross-tool, context-aware, dynamic threat detection mechanisms in agentic LLM systems. Future defense research must accommodate the distributed and temporal nature of multi-tool orchestration attacks, moving beyond static pattern matching and isolated tool auditing paradigms.
Implications and Future Directions
The study highlights the necessity of research into cryptographically aware vetting, audit log correlation, and online anomaly detection for multi-agent toolflows. Further attention must be paid to dynamic protocol state, reconstruction triggers, and the integration of distributed provenance mechanisms capable of identifying malicious cross-tool payload reconstitution in-flight, given the severe resilience, stealth, and impact demonstrated here. Emerging agent platforms must abandon naive trust assumptions about tool descriptors in favor of compositional, context-dependent risk assessment for all protocol-activated resources.