Security/ security · mcp · ai · tool-use

MCP Tool Approval Can Be Spoofed Eight Different Ways

Researchers found eight techniques to smuggle malicious instructions into AI coding agents via MCP, with one making the payload invisible to human reviewers.

A new security paper exposes a structural flaw in the Model Context Protocol that lets attackers feed AI coding agents instructions users never see or approve.

Researchers built a proof-of-concept that speaks the real MCP JSON-RPC protocol against actual client and server software. They implemented eight techniques across five metadata surfaces — tool names, descriptions, input schemas, and related fields — that the MCP approval dialog displays once, then injects verbatim into the model's context on every subsequent turn. All eight delivered attacker-controlled payloads into the model. Four evaded a representative string-matching sanitizer. The key finding: the protocol imposes no requirement that what a human sees in the approval view matches what the model actually receives.

That fidelity gap is the real vulnerability. Seven of the eight techniques deliver visible-but-unreviewed payloads; the eighth uses Unicode's TAG block (U+E0000–U+E007F), a range with no assigned glyph in mainstream terminals, IDEs, or chat renderers, making that specific payload completely invisible in the approval dialog while arriving intact at the model's tokenizer. Crucially, none of the eight techniques triggered a re-approval prompt, including under a time-of-check to time-of-use attack where the server swaps its metadata after initial approval. The researchers confirmed results were consistent across three independent Python MCP server libraries — 32 cross-library outcome cells, total agreement.

MCP is already the dominant standard for how coding agents discover external tools, which means this isn't a theoretical edge case. The approval-dialog model — click once, trust forever — was always a thin defense; this paper puts numbers on exactly how thin.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →