ATR-2026-00010criticalTool Poisoningexperimental

Malicious Content in MCP Tool Response

Detects malicious content embedded in MCP (Model Context Protocol) tool responses. Attackers may compromise or impersonate MCP servers to inject shell commands, encoded payloads, reverse shells, data exfiltration scripts, or prompt injection payloads into tool responses that the agent will process and potentially execute. Detection covers: destructive shell commands, command execution via interpreters, reverse shells (bash, netcat, socat, Python, Node, Ruby, Perl, PowerShell), curl/wget pipe-to-shell, command substitution, base64 decode-and-execute, process substitution, IFS/variable expansion evasion, privilege escalation, PowerShell-specific attack patterns, Python/Node reverse shells, encoded command execution, and prompt injection within tool responses.

Severity

critical

Response Actions

block toolquarantine sessionalertkill agent

References

CVE

CVE-2025-68143 CVE-2025-68144 CVE-2025-68145 CVE-2025-6514 CVE-2025-59536 CVE-2026-21852

OWASP Agentic

ASI02:2026 - Tool Misuse and ExploitationASI05:2026 - Unexpected Code Execution

OWASP LLM

LLM01:2025 - Prompt InjectionLLM05:2025 - Improper Output Handling

MITRE ATLAS

AML.T0051.001 - Indirect Prompt InjectionAML.T0056 - LLM Meta Prompt Extraction

View full YAML on GitHub →

More Tool Poisoning Rules

ATR-2026-00011highInstruction Injection via Tool Output ATR-2026-00012highUnauthorized Tool Call Detection ATR-2026-00013criticalSSRF via Agent Tool Calls ATR-2026-00061mediumSkill Description-Behavior Mismatch ATR-2026-00062criticalHidden Capability in MCP Skill