arXiv: WebMCP Tool Surface Poisoning: Runtime Manipulation Attacks on LLM Agents

A new research paper published on arXiv, titled "WebMCP Tool Surface Poisoning: Runtime Manipulation Attacks on LLM Agents," identifies a novel vulnerability in large language model (LLM) agents that use the Model Context Protocol (MCP) to interact with external tools. The study demonstrates how attackers can poison the tool surface—the metadata and descriptions that guide an LLM's tool selection—at runtime, causing the agent to misuse or bypass security controls. This is not a software patch but a disclosure of a new attack vector that exploits how LLMs interpret tool definitions, potentially leading to unauthorized data access or actions.

This finding directly affects any organization deploying LLM agents that rely on MCP or similar dynamic tool-calling frameworks, particularly in regulated sectors such as finance, healthcare, and legal services. Compliance teams in these industries must assess whether their AI systems use runtime tool descriptions that could be manipulated by external inputs or untrusted data sources. The risk is highest for agents that process user-provided content or interact with third-party APIs without strict validation.

Compliance teams should immediately review their AI system architectures to determine if tool surfaces are dynamically generated or modifiable at runtime. They should implement static, immutable tool definitions where possible, and add integrity checks to verify tool metadata before each LLM call. Additionally, teams should update their AI risk registers to include this attack vector and coordinate with security teams to test for tool surface poisoning in their current deployments. Monitoring for updates from the EU AI Office on this specific vulnerability is also recommended.