Risk
Tool Result Poisoning at Runtime
Description
A tool or MCP server returns crafted output (poisoned data, hidden instructions in tool descriptions) that the agent treats as trusted.
Example
A community MCP server returns a tool description containing hidden directives that cause the agent to exfiltrate local credentials.
Assets Affected
Tool
MCP Server
AI Agent
Agent Harness
Mitigation
- Schema-validate tool outputs
- sanitize tool descriptions before injection
- pin and verify MCP versions
- alert on schema violations.
Standards Mapping
- ISO: A.10.3, A.7.6
- OWASP agentic: ASI02, ASI06
- OWASP LLM: LLM01:2025
- EU AI Act: Art. 15(5)
- DASF: Agents-MCP Server 13.18, Agents-MCP Server 13.24
- AIUC-1: B001, B006