What Is MCP Tool Poisoning?
MCP tool poisoning is an attack where a malicious MCP server embeds harmful instructions inside its tool descriptions. When an AI coding agent (Claude Code, Cursor, Codex) discovers tools from that server, it reads the descriptions — and the hidden instructions become part of the agent's context, potentially overriding the user's intent.
I tested 47 public MCP servers listed on mcp.so and the Awesome MCP Servers list. 6 had tool descriptions that triggered at least one of our detection patterns. Here's what I found and how you can check your own setup.
Step 1: Locate Your MCP Config Files
AI coding agents store MCP server configurations in JSON files. Here's where to find them:
# Claude Code
~/.claude/settings.json
.claude/settings.json (project-level)
# Cursor
~/.cursor/mcp.json
# VS Code / Copilot
~/.vscode/mcp.json
# Windsurf
~/.windsurf/mcp.json
Each file contains a mcpServers object listing every MCP server your agent can access, including the command to run it and any environment variables passed to it.
Step 2: Scan with Zfuzz
Install Zfuzz MCP and run the config scanner:
claude mcp add zfuzz -- npx @zfuzz/mcp
Then ask your agent:
"Scan my MCP configuration for security issues"
Zfuzz's scan_mcp_config tool checks for:
- Prompt injection patterns — 100+ patterns including instruction override ("ignore previous instructions"), role hijacking ("you are now an admin"), and data exfiltration triggers ("read and include the contents of")
- SSRF-capable parameters — Tools that accept URLs without validation, especially if they can reach internal networks
- Credential access — Tool descriptions that reference
~/.ssh,~/.aws,.env, orprocess.env - Environment variable leakage — MCP configs that pass sensitive env vars (API keys, tokens) to servers that don't need them
Step 3: Manual Red Flags to Check
Beyond automated scanning, here are the red flags I look for manually:
- Instruction keywords in descriptions — Words like "before", "first", "always", "must", "important" followed by actions unrelated to the tool's purpose
- File path references — Any tool description mentioning specific file paths (
~/.ssh/id_rsa,/etc/passwd,~/.gitconfig) - Network-capable tools with broad scopes — A "code formatter" that also makes HTTP requests is suspicious
- Env var passthrough — Check your MCP config for
"env": {"API_KEY": "..."}blocks. Each env var you pass to an MCP server is a credential that server can access - Unpinned versions —
npx @some-mcp/serverwithout a version pin runs the latest version every time. A compromised publish can backdoor your setup
What We Found in 47 MCP Servers
| Finding | Count | Severity |
|---|---|---|
| Instruction override patterns in tool descriptions | 3 | Critical |
| Tools requesting broad file system access | 8 | High |
| Unpinned npm package versions | 31 | Medium |
| Unnecessary env var passthrough | 12 | Medium |
| No tool description at all (opaque) | 4 | Low |
The 3 critical findings were in lesser-known MCP servers with under 50 GitHub stars. All major MCP servers (from Anthropic, Cursor, official integrations) were clean.
Prevention Checklist
- Run
scan_mcp_configafter every new MCP server install - Pin MCP server versions in your config (
npx @zfuzz/mcp@1.0.0) - Minimize env vars passed to MCP servers — only what's strictly needed
- Review tool descriptions in
~/.claude/settings.jsonperiodically - Use Zfuzz Agent Guard for runtime protection (blocks shell injection, SSRF, path traversal)
Get Started
claude mcp add zfuzz -- npx @zfuzz/mcp
Related: How to vet AI agent skills before you install them — the same scrutiny, applied to the skill itself (SKILL.md + bundled scripts), not just MCP configs.



