auditing-mcp-servers-for-tool-poisoning
Auditing MCP Servers for Tool Poisoning
Authorized-use-only notice: Auditing MCP servers can connect to and probe live tool endpoints. Only scan servers you own or are authorized to assess. Treat scanned tool descriptions as untrusted input — do not load an unaudited MCP server into a privileged agent. Probing third-party MCP endpoints for SSRF or auth weaknesses without permission may be illegal.
Overview
The Model Context Protocol (MCP) lets AI agents discover and call external tools advertised by MCP servers. Each tool exposes a name and a natural-language description that the agent's LLM reads before deciding to call it. In early 2025, Invariant Labs disclosed that this description field is an attack surface: a malicious server can embed hidden instructions in a tool's description (a tool poisoning attack, OWASP MCP03:2025), and a capable model will silently follow them — exfiltrating files, leaking secrets, or redirecting tool calls — while returning a normal-looking response to the user. Because tool descriptions are loaded into the agent's context, tool poisoning is effectively indirect prompt injection delivered through the supply chain (MITRE ATLAS AML.T0010 ML Supply Chain Compromise).
Beyond poisoning, MCP servers introduce classic infrastructure risks: tool shadowing (a malicious server overrides a trusted tool's behavior), rug pulls (a tool's description changes after the user approved it), toxic flows (a combination of tools that enables data exfiltration), SSRF in tools that fetch URLs server-side, and unauthenticated exposure of MCP servers bound to network interfaces. This skill audits MCP servers end-to-end using Invariant Labs' mcp-scan for static and runtime analysis, plus manual checks for SSRF and authentication, and tool pinning to catch rug pulls.
When to Use
- Before adding a new MCP server to an agent stack (Claude Desktop, Cursor, VS Code, Windsurf, custom agents).
- During a security review of an internally developed MCP server.
- When validating that approved tools have not silently changed (rug-pull detection).
- As a CI/CD gate that scans MCP configs and SKILL/tool definitions on every change.
- During incident response when an agent took unexpected actions consistent with a poisoned tool.