Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Akshay 🚀 Profile picture
Akshay 🚀
@akshay_pachaar
Simplifying LLMs, AI Agents, RAGs and Machine Learning for you! • Co-founder @dailydoseofds_• BITS Pilani • 3 Patents • ex-AI Engineer @ LightningAI

Jul 20, 13 tweets

MCP security is completely broken!

Let's understand tool poisoning attacks and how to defend against them:

MCP allows AI agents to connect with external tools and data sources through a plugin-like architecture.

It's rapidly taking over the AI agent landscape with millions of requests processed daily.

But there's a serious problem... 👇

1️⃣ What is a Tool Poisoning Attack (TPA)?

When Malicious instructions are hidden within MCP tool descriptions that are:

❌ Invisible to users
✅ Visible to AI models

These instructions trick AI models into unauthorized actions, unnoticed by users.

Here's how the attack works:

AI models see complete tool descriptions (including malicious instructions), while users only see simplified versions in their UI.

First take a look at this malicious tool:

Let me quickly show the attack in action by connecting this server to my cursor IDE.

Check this out👇

Now let's understand a few other ways these attacks can happen and then we'll also talk about solutions...👇

2️⃣ Tool hijacking Attacks:

When multiple MCP servers are connected to same client, a malicious server can poison tool descriptions to hijack behavior of TRUSTED servers.

Here's an example of an email sending server hijacked by another server:

Take a look at these two MCP servers before we actually use them to demonstrate tool hijacking.

`add()` tool in the second server secretly tries to hijack the operation of send email tool in the first server.

Let's see tool hijacking attack in action, again by connecting the above two servers to my cursor IDE!

Check this out👇

3️⃣ MCP Rug Pulls ⚠️

Even worse - malicious servers can change tool descriptions AFTER users have approved them.

Think of it like a trusted app suddenly becoming malware after installation.
This makes the attack even more dangerous and harder to detect.

🛡️Mitigation Strategies:

- Display full tool descriptions in the UI
- Pin (lock) server versions
- Isolate servers from one another
- Add guardrails to block risky actions

Until security issues are fixed, use EXTREME caution with.

Finally, here's a summary of how MCP works and how these attacks can occur. This visual explains it all.

I hope you enjoyed today's post. Stay tuned for more! 🙌

If you found it insightful, reshare with your network.

Find me → @akshay_pachaar ✔️
For more insights and tutorials on LLMs, AI Agents, and Machine Learning!

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling