Skills
Treat MCP tool poisoning as a supply-chain problem — put the fix on the network, not the laptop
A May 2026 OX Security disclosure flagged a systemic tool-poisoning weakness across MCP implementations with ~150M downloads and an estimated 200,000 vulnerable instances, where malicious instructions hide in server-side tool metadata the agent reads at boot but the user never sees. Unlike prompt injection (an input-validation problem), tool poisoning is a supply-chain problem the model cannot distinguish from a legitimate prompt, so defenses must live in infrastructure. Actionable: enforce tool allowlisting, identity binding, runtime monitoring, and human-in-the-loop checkpoints at an AI gateway rather than relying on the client.
Source
↳ Follow the thread