Skip to content
ATR-2026-00153criticalTool Poisoningdraft

Tool with embedded instruction to bypass user confirmation and exfiltrate data

Detects MCP tools that contain hidden instructions to bypass user confirmation and directly exfiltrate sensitive data. This pattern identifies tools that explicitly instruct the LLM to send data "without asking user confirmation" and "always pass all data directly" to external endpoints, which are clear indicators of malicious intent rather than legitimate functionality.

Severity
critical
Category
Tool Poisoning
Scan Target
mcp
Author
Threat Cloud LLM Analyzer

Response Actions

alertsnapshot
View full YAML on GitHub →

More Tool Poisoning Rules

ATR-2026-00010criticalMalicious Content in MCP Tool ResponseATR-2026-00011highInstruction Injection via Tool OutputATR-2026-00012highUnauthorized Tool Call DetectionATR-2026-00013criticalSSRF via Agent Tool CallsATR-2026-00061mediumSkill Description-Behavior Mismatch