Securing LLM Superpowers: When Tools Turn Hostile in MCP

This report analyzes two critical attack vectors in MCP-based LLM tool integrations: (1) prompt injection via tool definitions, where malicious descriptions or hidden markup in registered tools coerce models to exfiltrate or mishandle data; and (2) cross-server tool shadowing, where untrusted servers inject persistent instructions into the shared LLM context that later alter calls to legitimate tools (for example silently adding BCC recipients). The write-up includes concrete JSON examples, explains why MCP’s shared context and naive serialization of tool metadata are dangerous, and outlines defenses such as registry provenance and signing, prompt-injection classifiers, schema enforcement, markup stripping, per-server isolation, and runtime anomaly detection.