## MCP Probe Tool: Critical Prompt Injection Risk in Tool Descriptions Exposed
A critical security gap has been identified in the `mcp probe` tool's verification process, exposing AI agents to direct prompt injection attacks. Currently, when the probe successfully retrieves a `tools/list` response from an MCP server, it only flags authentication-bypass issues and discards the actual response payload. This leaves a major attack surface unexamined: malicious or compromised MCP servers can embed hidden instructions directly within the tool definitions they return. These instructions, concealed in the `name`, `description`, or parameter `description` fields, are designed to manipulate the behavior of the calling Large Language Model (LLM) agent, representing one of the most significant MCP-specific security threats.

The proposed change targets the `src/active/verification.ts` file, specifically within the `verifyMcpEndpoint()` function. The fix requires the tool to parse and preserve the `result.tools` array from the JSON-RPC success response body, which is currently consumed and discarded. For each tool definition returned by the server, the probe must actively scan the `name`, `description`, and all parameter `description` fields for potential prompt injection payloads. This scanning is a core component of testing AI agent components and aligns with broader security roadmap goals.

This oversight means that a seemingly successful and authenticated connection to an MCP server could still be a conduit for a sophisticated attack. The risk is not theoretical; it exploits the fundamental trust an LLM agent places in the tool metadata provided by its configured servers. Implementing this detection is a necessary step to prevent agents from being covertly hijacked through their own tooling interfaces, moving security analysis beyond simple access control to the content of the communications themselves.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: AI Security, Prompt Injection, MCP Protocol, LLM Agents, Vulnerability
- **Credibility**: unverified
- **Published**: 2026-03-29 20:26:57
- **ID**: 40028
- **URL**: https://whisperx.ai/en/intel/40028