Hide Navigation
Hide TOC
Detects MCP tool poisoning attacks that embed hidden instructions inside an XML-style tag in a tool description, or that chain behavior across multiple co-installed MCP servers by referring to "the also present" or "previously declared" tool. This is the attack class Invariant Labs published proof-of-concept exploits for in April 2025 against Claude Desktop and Cursor, achieving SSH private key and mcp.json configuration exfiltration. Also detects the January 2026 fake "Postmark MCP Server" pattern of embedding sensitive file read directives in tool descriptions. The visible tool signature looks benign (e.g. a numeric "add" function), but the description contains LLM-visible directives that the UI does not render. Users approving the tool on the basis of its surface behavior are unaware of the shadowed instruction.