LLM Tool Poisoning Attacks: Full-Schema Poisoning and Advanced Tool Poisoning Attacks
Anthropic's Model Context Protocol (MCP) lets Large Language Models (LLMs) interact with external tools, but researchers have uncovered novel attacks: Tool Poisoning Attacks (TPAs). Previous research focused on tool description fields, but new findings reveal the attack surface extends to the entire tool schema, coined "Full-Schema Poisoning" (FSP). Even more dangerous are "Advanced Tool Poisoning Attacks" (ATPAs), which manipulate tool outputs, making static analysis difficult. ATPAs trick LLMs into leaking sensitive information by crafting deceptive error messages or follow-up prompts. The paper suggests mitigating these attacks through static detection, strict enforcement, runtime auditing, and contextual integrity checks.
Read more