Attacks and threats
Tool poisoning
Tool poisoning hides malicious instructions inside a tool's name or description so the AI model is manipulated the moment it reads the tool, before any call is made.
Also called: MCP tool poisoning
Definition
What is tool poisoning?
Tool poisoning attacks the metadata of a tool rather than its output. Because an agent reads a tool's name and natural-language description to decide when and how to use it, an attacker who controls a tool definition (for example on a malicious MCP server) can embed instructions there: tell the model to first read a secret file, or to append hidden data to another tool's arguments. The instructions execute in the model's context as soon as the tools are loaded.
This makes tool poisoning a supply-chain risk for agents. The defense is to inspect tool definitions before an agent trusts them, flag descriptions that carry instructions or solicit credentials, and re-check them over time, so a server cannot smuggle behavior in through the very text the model relies on to use it.
FAQ
Common questions.
How is tool poisoning different from prompt injection?
Prompt injection plants instructions in data the agent reads at runtime. Tool poisoning plants them in the tool's own definition, so the model is influenced the moment the tools load, before any user input or tool result.
Related terms
Keep reading.
Govern the actions, not just the vocabulary
AxioRank scores every tool call your agents make for leaked secrets, PII, destructive operations, and prompt injection, checks it against your policy, and proves it in a tamper-evident audit log. Start free, no card.