Papers
Topics
Authors
Recent
Search
2000 character limit reached

Tool Poisoning Attacks in LLM Agents

Updated 3 July 2026
  • Tool Poisoning Attacks (TPA) are adversarial tactics injecting covert instructions into tool metadata to subvert LLM agents.
  • These attacks exploit the semantic gap in metadata processing to manipulate tool selection and execution, leading to actions like file exfiltration and remote command execution.
  • Empirical benchmarks reveal high attack success rates, driving research into cryptographic defenses, isolated planning, and dynamic anomaly detection.

A Tool Poisoning Attack (TPA) is a class of adversarial manipulation against tool-augmented LLM agents operating under protocols such as the Model Context Protocol (MCP). In TPA, an adversary injects malicious, covert instructions into the natural-language metadata or structured descriptors (e.g., JSON definitions) of tools, which are then trusted and internalized by the LLM’s planning components. These attacks are distinct from direct prompt injection and code-embedded poisoning, leveraging the agent’s assumption of descriptor truthfulness to induce unauthorized behavior, exfiltration, denial-of-service, or persistent compromise of the agentic control flow. TPAs fundamentally exploit the semantic gap between protocol-level integration and language-model reasoning, introducing critical vulnerabilities at the intersection of metadata, tool selection, and execution autonomy.

1. Formalization and Taxonomy in the MCP Ecosystem

TPAs are fundamentally indirect prompt-injection attacks targeting the agent’s context, rather than explicit user inputs or tool code. Let a tool definition be T=(m,p)T = (m, p) with mMm \in \mathcal{M} representing metadata (including name and description), and pPp \in \mathcal{P} encoding the parameter specification. A poisoning attack is defined by a mapping poison:MMadv\mathrm{poison}: \mathcal{M} \to \mathcal{M}_{\mathrm{adv}} such that madv=poison(m)m_{\mathrm{adv}} = \mathrm{poison}(m) causes the policy πθ(user_query,{m,T})action\pi_\theta(\mathrm{user\_query}, \{m, T\}) \to \mathrm{action} to deviate from intended service behavior (Huang et al., 23 Mar 2026).

Main TPA categories in current literature include:

  • File/credential exfiltration: embedding directives to read sensitive files such as ~/.ssh/id_rsa.
  • Unsanctioned tool invocation: enforcing “priority” or forced ordering on surveillance/logging tools.
  • Parameter tampering: hidden instructions to rewrite arguments, e.g., rerouting email recipients.
  • Remote command execution (RCE): directives to invoke shell commands via legitimate tool interfaces.
  • Phishing via UI: embedding Markdown links or hidden URLs in tool output.
  • Implicit poisoning: metadata of a dormant or never-invoked tool biases the invocation policy toward unanticipated, privileged tools (Li et al., 12 Jan 2026).

2. Threat Models, Attack Workflow, and Benchmarks

The canonical MCP threat model assumes that the agent automatically ingests tool metadata at registration, trusting the fields as authoritative. The adversary typically controls or registers tools via a compromised or malicious MCP server, supplying crafted descriptors with covert instructions (2608.14925).

In TPA, the manipulated tool description is injected into pdescpsystemp_{\mathrm{desc}} \subset p_{\mathrm{system}}. The agent’s reasoning over tool selection and sequencing is then influenced by the poisoned metadata, leading to execution of attacker-desired actions through otherwise legitimate external tools. Unlike behavior-based attacks, TPA affects the agent prior to any tool execution, rendering behavior-level defenses fundamentally insufficient (Wang et al., 28 Aug 2025).

Empirical characterization:

3. Stealth Techniques and ShareLock: Multi-Tool Threshold Poisoning

Early TPAs utilized plaintext embedding within a single tool descriptor, but these are increasingly detectable by static, content-based and LLM-driven vetting. ShareLock introduces a cryptographically-stealthy, multi-tool threshold poisoning scheme (Liu et al., 25 Jun 2026):

  • Payload splitting: The malicious instruction PadvP_{\mathrm{adv}} is partitioned into fragments, encoded as field elements NjN_j over a prime field Fp\mathbb{F}_p.
  • Shamir’s scheme: For each mMm \in \mathcal{M}0, a random polynomial mMm \in \mathcal{M}1 of degree mMm \in \mathcal{M}2 is constructed. Shares mMm \in \mathcal{M}3 are then computed and distributed across mMm \in \mathcal{M}4 tools via innocuous metadata fields (e.g., checksum).
  • Covert trigger: An additional tool is registered with a covert trigger (“EnvSetup”) instructing the agent to reconstruct mMm \in \mathcal{M}5 via Lagrange interpolation only when mMm \in \mathcal{M}6 or more shares are available at runtime.
  • Stealth property: Information-theoretic secrecy ensures that mMm \in \mathcal{M}7 shares reveal zero mutual information about the payload, making individual tool vetting ineffectual. Entropy analysis demonstrates that the blended tool descriptors are statistically indistinguishable from benign high-entropy tokens (Shannon entropy 5.22 bits/char vs. 5.02 bits/char for benign) (Liu et al., 25 Jun 2026).

Evaluation:

  • ShareLock achieves ASR mMm \in \mathcal{M}894%, task completion mMm \in \mathcal{M}996%, with attack stealth effectiveness (ASE) pPp \in \mathcal{P}095%. It strictly outperforms single-tool attacks (Encode-Only max 82.7% ASR), and is resilient to simulated tool auditing and moderate removal, maintaining ASR pPp \in \mathcal{P}190% as long as the threshold is met (Liu et al., 25 Jun 2026).

4. Detection, Attribution, and Defense Mechanisms

Traditional behavior-based monitoring (e.g., runtime provenance, output comparison) is ineffective against TPA, especially the implicit variants, since compromised tool need not be executed and behavioral traces are absent (Wang et al., 28 Aug 2025). Proposals for mitigation include:

  • Decision Dependence Graphs (DDG): MindGuard uses attention-based reasoning graphs where vertices are high-level concepts (user query, all tools, past invocations), and edges are attention-derived dependencies. Anomaly scores such as the Anomaly Influence Ratio (AIR) can efficiently detect and attribute poisoned influences, achieving 94–99% detection precision and 95–100% attribution accuracy with negligible latency (Wang et al., 28 Aug 2025).
  • Isolated Planning (Tool-Guard): When misaligned or suspicious behavior is detected, affected tools are quarantined into an “influenced list,” decoupling their context from the rest of the tool set. This system-level wrapper brings the ASR for cross-tool poisoning down from 43.3% (no defense) to 2.06% (Tool-Guard) while preserving task utility (Shi et al., 18 Jun 2026).
  • Protocol-level hardening: Requiring rigorously typed metadata, restricting custom fields (e.g., “checksum”), enforcing mutual consistency, cryptographically signing tool descriptors, and runtime confirmation for second-stage triggers (Jamshidi et al., 6 Dec 2025, Liu et al., 25 Jun 2026).
  • Multi-layered defense: Static metadata analysis (regex, JSON schema checking), decision/path tracking, anomaly detection (e.g., Mahalanobis distance on call features), and transparency-enhancing user UIs comprise a defense-in-depth stack (Huang et al., 23 Mar 2026).

5. Variants: Memory Poisoning and Implicit Attacks

Beyond the canonical attack surface of tool metadata, memory poisoning has emerged as a potent TPA vector. MemMorph demonstrates that injecting a minimal number of crafted, benign-looking records into the persistent memory of an LLM agent can efficiently bias future tool selection, even after self-reflection or context filtering (Zhang et al., 24 May 2026). Key findings:

  • Memory poisoning achieves up to 85.9% ASR (as compared to pPp \in \mathcal{P}240% for prompt-only baselines), and remains effective under memory growth and weak defenses.
  • Typical mitigation approaches, such as perplexity filters, shallow classifiers, and LLM auditors, cannot fully block memory-level attacks.

Implicit tool poisoning, as automated by MCP-ITP, constructs poisoned metadata that is never directly invoked but manipulates the agent to call privileged tools. Adaptive black-box optimization combines attack success with detector evasion, reaching an ASR up to 84.2% with malicious tool detection rates as low as 0.3% across twelve LLM agents (Li et al., 12 Jan 2026).

6. Empirical Benchmarks and Systemic Impact

Comprehensive sandboxes and security benchmarks such as MCPTox and MCP-TDP quantify systemic agentic vulnerability: high-fidelity experiments verify that nearly all widely used models (GPT-4o, Gemini, Claude) are susceptible to TPA, with baseline attack rates approaching 100% in high-risk scenarios (command execution, file tampering, privilege escalation) (2608.14925, Liu et al., 22 May 2026).

Key findings:

  • Simple content moderation, prompt guardrails, and output token filtering are largely ineffective; in some cases, they paradoxically boost attack success (the “Firewall Fallacy”) (Liu et al., 22 May 2026).
  • Post-execution anomaly detection (“Reactive Self-Correction”) demonstrates limited success (e.g., Claude and DeepSeek recover from pPp \in \mathcal{P}380% of detectable anomalies), but the primary attack almost always succeeds before correction (Liu et al., 22 May 2026).
  • Stronger instruction-following capacity implies elevated risk (“paradox of capability”): better-aligned models more reliably internalize adversarial metadata (Wang et al., 19 Aug 2025).

7. Open Challenges, Future Directions, and recommendations

The evolution of TPA, notably cryptographically-distributed payloads (ShareLock), persistent memory attacks (MemMorph), and black-box adaptive poisoning (MCP-ITP), highlights the escalation of adversary sophistication.

Emergent defense directions include:

  • Protocol-level cryptographic validation: RSA-based manifest signing prevents post-approval descriptor tampering (“rug pull”), but introduces latency and operational cost (Jamshidi et al., 6 Dec 2025).
  • Semantic vetting via auxiliary LLMs: LLM-on-LLM safety screening outperforms static regex but incurs higher latency; combined defense stacks reach 72.2% block rate against poisoning (Jamshidi et al., 6 Dec 2025).
  • Cross-tool and cross-metadata auditing: Dynamic, context-aware tools that aggregate and correlate multiple sources of metadata or evince semantic relationships (e.g., multi-tool overlays, inter-tool dependency graphs) are necessary to defeat threshold and distributed attacks (Liu et al., 25 Jun 2026).
  • Memory module provenance tracking and consistency checks: Robust, cryptographically attested memory ingestion pipelines are required to block the memory poisoning surface (Zhang et al., 24 May 2026).

Ongoing open research topics involve adversarial training for robust verifiers, formal guarantees for semantic descriptor integrity under compositional attack, decentralized validation, and scalable, low-latency certification of agent tool-calling (Ghitu et al., 10 Feb 2026). The need to integrate proactive semantic sanitization, real-time behavioral profiling, and reactive self-healing is emphasized as essential for securing autonomous LLM agent infrastructures in adversarial environments.


References:

(Wang et al., 19 Aug 2025) MCPTox: A Benchmark for Tool Poisoning Attack on Real-World MCP Servers (Liu et al., 25 Jun 2026) ShareLock: A Stealthy Multi-Tool Threshold Poisoning Attack Against MCP (Wang et al., 28 Aug 2025) MindGuard: Tracking, Detecting, and Attributing MCP Tool Poisoning Attack via Decision Dependence Graph (Shi et al., 18 Jun 2026) Think Twice Before You Act: Protecting LLM Agents Against Tool Description Poisoning via Isolated Planning (Huang et al., 23 Mar 2026) Model Context Protocol Threat Modeling and Analyzing Vulnerabilities to Prompt Injection with Tool Poisoning (Zhang et al., 24 May 2026) MemMorph: Tool Hijacking in LLM Agents via Memory Poisoning (Li et al., 12 Jan 2026) MCP-ITP: An Automated Framework for Implicit Tool Poisoning in MCP (Jamshidi et al., 6 Dec 2025) Securing the Model Context Protocol: Defending LLMs Against Tool Poisoning and Adversarial Attacks (Liu et al., 22 May 2026) When the Manual Lies: A Realistic Benchmark to Evaluate MCP Poisoning Attacks for LLM Agents

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Tool Poisoning Attacks (TPA).