What is MCP tool poisoning?

Attackers embed malicious instructions inside MCP tool description fields. These land in the LLM context and are treated as trusted input, causing the agent to exfiltrate data or execute unauthorized actions.

How widespread is MCP tool poisoning?

A scan of 1,899 publicly listed MCP servers found ~5.5% contained tool poisoning. OWASP formally classified it in their MCP Top 10 2025 list.

Has MCP tool poisoning been exploited in real attacks?

Yes. GitHub MCP: malicious issue triggered data exfiltration from private repos. WhatsApp MCP: rug-pull redirected chat histories. Cursor/Supabase: support ticket SQL injection leaked tokens.

What is CVE-2025-54136?

CVE-2025-54136 is the MCP tool poisoning structural vulnerability. It is OWASP MCP Top 10 #3 (Tool Poisoning) for 2025. Attack success rate exceeds 72% in research benchmarks.

How do you defend against MCP tool poisoning?

mcp-scan by Invariant Labs does static analysis of tool descriptions. MCPShield, AIP (Agent Identity Protocol), and mcp-safe-fetch address runtime defense. No universal standard yet.

← Back to dashboard

clawsmith.com/signal/mcp-tool-poisoning-prompt-injection

⚠ IssueUnderservedToolLive

MCP Tool Poisoning: Attackers Hide Malicious Instructions in Tool Descriptions to Exfiltrate SSH Keys and Private Repos

Malicious MCP servers embed hidden instructions in tool description fields — text that lands in the LLM context window and gets treated as trusted input. Demonstrated real attacks: GitHub MCP poisoning exfiltrated private repo data via a malicious public issue; WhatsApp rug-pull redirected chat histories to attacker server; Cursor agent processed poisoned support tickets and leaked tokens. OWASP named it #3 in MCP Top 10 2025. CVE-2025-54136 assigned. 5.5% of 1,899 public MCP servers found poisoned in scan.

Score Breakdown

913

Issues

221

Social Proof 2 sources

The "S" in MCP Stands for Security

skilldeliver · 4/6/2025

913 GH

invariantlabs-ai/mcp-injection-experiments – Code to reproduce MCP tool poisoning attacks (195 stars)

gh:lbeurerkellner · 4/1/2025

221

Gap Assessment

UnderservedExisting solutions leave gaps

mcp-scan by Invariant Labs is the main static analyzer. No universal runtime defense standard. mcp-safe-fetch, MCPShield, AIP (Agent Identity Protocol) all early-stage.

Frequently Asked Questions

Virality Score

1,134

across 2 platforms

Details

Signalissue

EcosystemTool

Sources2

Platforms2

Updated2h ago

Trend→ stable

Top ideas

All ideas →

0A mobile app that detects and removes AI-generated tracks from your Spotify playlists before you hear them 0A web app that tracks AI coding tool spend across Copilot, Claude Code, and Cursor, normalized per commit and per PR 0A browser extension that monitors installed extensions for ownership transfers, permission scope changes, and suspicious outbound data requests in real time

Related signals

All signals →

2.3Knpm Supply Chain Attacks Targeting MCP Packages: Backdoored MCP Servers Exfiltrate Secrets at Scale