ATR-2026-00095criticalTool Poisoningdraft

MCP Tool Supply Chain Poisoning

Detects tool poisoning attacks targeting the MCP (Model Context Protocol) skill/tool supply chain. Attackers inject malicious payloads into tool descriptions, return values, or schemas that are consumed by agents, causing unintended code execution, data exfiltration, or privilege escalation when the poisoned tool is invoked.

Severity

critical

Response Actions

block inputquarantine sessionalertescalatekill agent

References

MITRE ATLAS

AML.T0053

View full YAML on GitHub →

More Tool Poisoning Rules

ATR-2026-00010criticalMalicious Content in MCP Tool Response ATR-2026-00011highInstruction Injection via Tool Output ATR-2026-00012highUnauthorized Tool Call Detection ATR-2026-00013criticalSSRF via Agent Tool Calls ATR-2026-00061mediumSkill Description-Behavior Mismatch