REDDIT · REDDIT// 3h agoSECURITY INCIDENT

MCP Tool Descriptions Leak SSH Keys

Security researchers showed that malicious MCP tool metadata can hide instructions that make agents read sensitive local files, including SSH keys, and exfiltrate them through otherwise normal tool calls. The attack expands beyond top-level descriptions to nested schema fields and mid-session tool definition changes.

// ANALYSIS

MCP’s trust model is too loose: it treats remote tool JSON as documentation, while the model treats it as instructions. That gap is enough to turn a harmless-looking server into a credential-stealing channel.

–Tool descriptions are part of the model context, so hidden instructions can steer behavior without any explicit user prompt injection
–The attack is broader than one field: parameter names, nested schema text, and dynamic `tools/list` updates all widen the blast radius
–A one-time approval dialog is not enough if tool definitions can mutate later without re-consent
–Defenses need to move below the model layer: schema scanning, hash pinning, drift detection, and network-side monitoring
–This is a reminder that MCP turns “developer convenience” into “attack surface” unless servers are treated as untrusted by default

// TAGS

mcpagentautomationapisafety

DISCOVERED

3h ago

2026-04-17

PUBLISHED

18h ago

2026-04-16

RELEVANCE

8/ 10

AUTHOR

Still_Piglet9217