MCP tool integration trusts server-supplied definitions without integrity verification

[razashariff]

MCP tools loaded via MCPPluginBase.load_tools() accept tool names, descriptions, and parameter schemas directly from the MCP server with no integrity check. Combined with FunctionChoiceBehavior.Auto(), this creates a tool poisoning attack surface (OWASP MCP-01).

Specific concerns:

• Tool descriptions are injected into LLM context unsanitised — a compromised MCP server can embed instructions in the description field that the LLM interprets as directives
• message_handler silently reloads tools on notifications/tools/list_changed — a server can swap tool definitions mid-session without user awareness
• No schema pinning — tool definitions are re-fetched each session with no comparison to a known-good baseline
• Sampling callback passes server-supplied systemPrompt directly to the LLM via ChatHistory

Research shows a 72.8% attack success rate across 20 LLM agents for tool poisoning (MCPTox benchmark, arXiv:2508.14925). Real-world incidents include CVE-2025-6514 (CVSS 9.6), CVE-2025-49596 (CVSS 9.4), and the postmark-mcp supply chain attack (Snyk).

If an agent using Semantic Kernel connects to a compromised MCP server with auto-invocation enabled, the attack chain from tool poisoning to arbitrary code execution is direct — no exploit needed, just a modified JSON field.

The OWASP MCP Top 10 covers this: owasp.org/www-project-mcp-top-10

An IETF Internet-Draft addressing message signing and tool integrity for MCP has been published: draft-sharif-mcps-secure-mcp