Agentic Security
Line jumping: how a poisoned MCP tool hijacks a model that was never called
An MCP tool's description is loaded into the model's context at tools/list time — before the tool is ever invoked. That one protocol detail turns a description field into a prompt-injection payload that fires even if the user never touches the tool. Here's the mechanism, the attack classes, and the audit that catches them.
Jul 5, 2026 · 7 min read