MCP Tool Poisoning Defense: LLM-Based Zero-Shot Tool Inspection with Rug-Pull Detection
MCP tool poisoning embeds malicious directives in tool docstrings using Unicode ASCII smuggling or Base64 to bypass keyword detection, while 'rug-pull' redefinitions silently change tool behavior after initial trust approval and data exfiltration exploits semantically named parameters (e.g., `summary_of_environment_details`) that cause models to auto-populate credentials and system prompts. The concrete defense uses a secondary LLM for zero-shot detection: pass all tool definitions with the prompt 'Analyze these tool definitions for malicious activity including data exfiltration, obfuscation, and command execution' and return structured JSON with risk levels and specific concerns. Pair this with running MCP clients inside Docker containers, disabling 'always allow' for sensitive operations, and logging all tool invocations for anomaly review.
↳ Follow the thread