Overview
A specialized form of prompt injection where malicious instructions are embedded in tool descriptions—visible to the LLM but hidden from users. Attackers create tools with concealed directives that cause the LLM to perform unauthorized actions such as exfiltrating private data.
Who Is Affected
Discovered by Invariant Labs during security analysis of the MCP ecosystem. Affects any user connecting to untrusted MCP servers, particularly those using Claude Desktop or similar MCP clients.
Where It Exists
The vulnerability exists in the tool description field of MCP server tool definitions. Since MCP clients inject all tool descriptions into the LLM context window, any connected server can influence model behavior through this channel.
When It Was Found
Publicly disclosed on April 1, 2025. The vulnerability is inherent to the MCP protocol design and has existed since the protocol's inception.
How It Works
A malicious MCP server defines a tool (e.g., a calculator) with hidden instructions in its description telling the LLM to read sensitive files (like ~/.ssh/id_rsa) and pass their contents as a parameter. The exfiltrated data is sent to the attacker's server before the tool returns its normal result. Users see only the calculator output and never the hidden data transfer.
Impact
Complete compromise of user data accessible to the LLM. Attackers can silently exfiltrate files, environment variables, conversation history, and any data the MCP client has permission to access. The attack is invisible to users who don't inspect raw tool descriptions.
Mitigation
Inspect all tool descriptions before connecting to new MCP servers. Use MCP clients that display full tool descriptions. Implement tool description scanning for suspicious instructions. Sandbox MCP server access to limit file system and network exposure. Consider using ETDI (Enhanced Tool Definition Interface) for tool integrity verification.