Skills
Defend MCP tool poisoning with manifest-delta auditing, not just a gateway
After the May 2026 OX Security disclosure (a systemic MCP flaw across Python/TS/Java/Rust, tracked as CVE-2025-54136), tool poisoning — malicious instructions hidden in tool *metadata* the agent reads but humans never see — became 2026's highest-leverage agent attack because it fires silently on every invocation. The concrete defense is detection by diffing: enumerate every connected MCP server, snapshot every served tool description at install/review time, and flag any wording delta for investigation, backed by signed clearance assertions and deny-by-default allowlists. This complements an MCP gateway rather than replacing it.
Source
↳ Follow the thread