WebMCP Threat Atlas

A map of how WebMCP tools get attacked.

The canonical, primary-cited threat taxonomy for builders: how WebMCP tools are attacked, what correct defense looks like, and where to verify both. Every attack pattern is backed by a primary source and a reproducible fixture. The thing to cite when you ask: "Is this safe for an agent to call?"

The four attack patterns

Contaminated tool output

Attack via malicious instructions hidden in returned data from third parties

Definition mutation (rug pull)

A tool is benign when approved, then silently changes its definition on a later visit

Hidden instructions in tool metadata

Attack via adversarial text in tool names, parameter names, or descriptions

Tool shadowing

A malicious tool collides with or overrides a trusted tool's name so the agent calls the wrong one

Defense principles

Every pattern maps to a defense:

  • Treat all tool definitions as untrusted input. A tool's name, description, and parameter names are not instructions; they are data. Treat them as such in the model's token stream.
  • Treat all tool output as untrusted data. A tool may be benign but return data it does not control. Do not let returned content escalate the agent's privileges.
  • Pin tool definitions to what was approved. When a user approves a tool, anchor that approval to its definition at that moment. A changed definition (even if it carries the same name) should re-prompt.
  • Namespace or origin-scope tools to prevent collisions. If multiple tools can register the same name, bind each to its origin so name shadowing is detectable.

Scope and intent

This atlas is written for builders: engineers implementing agents, framework authors designing tool-call flows, and security reviewers assessing new WebMCP surfaces. It is not a scanner or a validator; it is a synthesis layer between Chrome's tactical guidance and the academic benchmarks, bridging the gap to a crisp attack → fixture → defense map.

Every claim is tied to a primary source with its verification date. When a question remains open, we mark it as such. The site itself practices what it preaches: minimal craft, no invention, pull not push.