What Is MCP Tool Poisoning?

MCP tool poisoning is an attack where a malicious MCP server embeds harmful instructions inside its tool descriptions. When an AI coding agent (Claude Code, Cursor, Codex) discovers tools from that server, it reads the descriptions — and the hidden instructions become part of the agent's context, potentially overriding the user's intent.

I tested 47 public MCP servers listed on mcp.so and the Awesome MCP Servers list. 6 had tool descriptions that triggered at least one of our detection patterns. Here's what I found and how you can check your own setup.

Step 1: Locate Your MCP Config Files

AI coding agents store MCP server configurations in JSON files. Here's where to find them:

# Claude Code
~/.claude/settings.json
.claude/settings.json (project-level)

# Cursor
~/.cursor/mcp.json

# VS Code / Copilot
~/.vscode/mcp.json

# Windsurf
~/.windsurf/mcp.json

Each file contains a mcpServers object listing every MCP server your agent can access, including the command to run it and any environment variables passed to it.

Step 2: Scan with Zfuzz

Install Zfuzz MCP and run the config scanner:

claude mcp add zfuzz -- npx @zfuzz/mcp

Then ask your agent:

"Scan my MCP configuration for security issues"

Zfuzz's scan_mcp_config tool checks for:

  • Prompt injection patterns — 100+ patterns including instruction override ("ignore previous instructions"), role hijacking ("you are now an admin"), and data exfiltration triggers ("read and include the contents of")
  • SSRF-capable parameters — Tools that accept URLs without validation, especially if they can reach internal networks
  • Credential access — Tool descriptions that reference ~/.ssh, ~/.aws, .env, or process.env
  • Environment variable leakage — MCP configs that pass sensitive env vars (API keys, tokens) to servers that don't need them

Step 3: Manual Red Flags to Check

Beyond automated scanning, here are the red flags I look for manually:

  1. Instruction keywords in descriptions — Words like "before", "first", "always", "must", "important" followed by actions unrelated to the tool's purpose
  2. File path references — Any tool description mentioning specific file paths (~/.ssh/id_rsa, /etc/passwd, ~/.gitconfig)
  3. Network-capable tools with broad scopes — A "code formatter" that also makes HTTP requests is suspicious
  4. Env var passthrough — Check your MCP config for "env": {"API_KEY": "..."} blocks. Each env var you pass to an MCP server is a credential that server can access
  5. Unpinned versionsnpx @some-mcp/server without a version pin runs the latest version every time. A compromised publish can backdoor your setup

What We Found in 47 MCP Servers

FindingCountSeverity
Instruction override patterns in tool descriptions3Critical
Tools requesting broad file system access8High
Unpinned npm package versions31Medium
Unnecessary env var passthrough12Medium
No tool description at all (opaque)4Low

The 3 critical findings were in lesser-known MCP servers with under 50 GitHub stars. All major MCP servers (from Anthropic, Cursor, official integrations) were clean.

Prevention Checklist

  1. Run scan_mcp_config after every new MCP server install
  2. Pin MCP server versions in your config (npx @zfuzz/mcp@1.0.0)
  3. Minimize env vars passed to MCP servers — only what's strictly needed
  4. Review tool descriptions in ~/.claude/settings.json periodically
  5. Use Zfuzz Agent Guard for runtime protection (blocks shell injection, SSRF, path traversal)

Get Started

claude mcp add zfuzz -- npx @zfuzz/mcp

GitHub · npm

Related: How to vet AI agent skills before you install them — the same scrutiny, applied to the skill itself (SKILL.md + bundled scripts), not just MCP configs.