Skip to content
ATR-2026-00010criticalTool Poisoningexperimental

Malicious Content in MCP Tool Response

Detects malicious content embedded in MCP (Model Context Protocol) tool responses. Attackers may compromise or impersonate MCP servers to inject shell commands, encoded payloads, reverse shells, data exfiltration scripts, or prompt injection payloads into tool responses that the agent will process and potentially execute. Detection covers: destructive shell commands, command execution via interpreters, reverse shells (bash, netcat, socat, Python, Node, Ruby, Perl, PowerShell), curl/wget pipe-to-shell, command substitution, base64 decode-and-execute, process substitution, IFS/variable expansion evasion, privilege escalation, PowerShell-specific attack patterns, Python/Node reverse shells, encoded command execution, and prompt injection within tool responses.

嚴重度
critical
類別
Tool Poisoning
掃描目標
mcp
作者
ATR Community

建議回應

block toolquarantine sessionalertkill agent

參考資料

CVE
CVE-2025-68143CVE-2025-68144CVE-2025-68145CVE-2025-6514CVE-2025-59536CVE-2026-21852
OWASP Agentic
ASI02:2026 - Tool Misuse and ExploitationASI05:2026 - Unexpected Code Execution
OWASP LLM
LLM01:2025 - Prompt InjectionLLM05:2025 - Improper Output Handling
MITRE ATLAS
AML.T0051.001 - Indirect Prompt InjectionAML.T0056 - LLM Meta Prompt Extraction
在 GitHub 上查看完整 YAML →

更多 Tool Poisoning 規則

ATR-2026-00011highInstruction Injection via Tool OutputATR-2026-00012highUnauthorized Tool Call DetectionATR-2026-00013criticalSSRF via Agent Tool CallsATR-2026-00061mediumSkill Description-Behavior MismatchATR-2026-00062criticalHidden Capability in MCP Skill