Rubén Santos García
MCP tool descriptions are instructions, not just metadata. A malicious server embeds payloads in description fields: your AI exfiltrates SSH keys, reads config files, sends data via tool parameters. Anthropic's Inspector had no auth on port 6277, RCE via DNS rebinding from any open browser tab. mcp-remote's OAuth handshake executed attacker code on 437K+ installs before the auth flow even completed. https://www.kayssel.com/newsletter/issue-50/
#infoSec #cyberSecurity
MCP Security: Poisoning the Tools Your AI Trusts

Tool poisoning via description fields, rug pull attacks, cross-server shadowing, RCE in MCP client tooling, and DVMCP practice lab

Kayssel
May 17 at 10:31amWeb