WebMCP Threat Atlas
A map of how WebMCP tools get attacked.
The canonical, primary-cited threat taxonomy for builders: how WebMCP tools are attacked, what correct defense looks like, and where to verify both. Every attack pattern is backed by a primary source and a reproducible fixture. The thing to cite when you ask: "Is this safe for an agent to call?"
The four attack patterns
Contaminated tool output
Attack via malicious instructions hidden in returned data from third parties
Definition mutation (rug pull)
A tool is benign when approved, then silently changes its definition on a later visit
Hidden instructions in tool metadata
Attack via adversarial text in tool names, parameter names, or descriptions
Tool shadowing
A malicious tool collides with or overrides a trusted tool's name so the agent calls the wrong one
Defense principles
Every pattern maps to a defense:
- Treat all tool definitions as untrusted input. A tool's name, description, and parameter names are not instructions; they are data. Treat them as such in the model's token stream.
- Treat all tool output as untrusted data. A tool may be benign but return data it does not control. Do not let returned content escalate the agent's privileges.
- Pin tool definitions to what was approved. When a user approves a tool, anchor that approval to its definition at that moment. A changed definition (even if it carries the same name) should re-prompt.
- Namespace or origin-scope tools to prevent collisions. If multiple tools can register the same name, bind each to its origin so name shadowing is detectable.
Scope and intent
This atlas is written for builders: engineers implementing agents, framework authors designing tool-call flows, and security reviewers assessing new WebMCP surfaces. It is not a scanner or a validator; it is a synthesis layer between Chrome's tactical guidance and the academic benchmarks, bridging the gap to a crisp attack → fixture → defense map.
Every claim is tied to a primary source with its verification date. When a question remains open, we mark it as such. The site itself practices what it preaches: minimal craft, no invention, pull not push.