AI Agent Tool - AI Security Technique

Record summary

A quick snapshot of what this page covers.

Tactics0Attacker goals connected to this method.

Mitigations0Defenses that may help against this attack.

AI risks21Research-backed risks connected to this topic.

Attack context

How this AI attack works in practice.

Adversaries may target AI agent tools as a means to compromise a victim's AI supply chain. Tools add capabilities to AI agents, allowing them to interact with other services, connect to data sources, access internet resources, run system tools, and execute code. They are an attractive target for adversaries because compromising an AI agent can provide them with broad accesses and permissions on the victim's system via the agent's other tools.

Poisoned agent tools (See AI Agent Tool Poisoning) can contain malicious code or LLM Prompt Injections that manipulate the agent's behavior and even modify how other tools are called. Adversaries have successfully used a poisoned MCP server to exfiltrate private user data [\[5\]][koi].

Agent tools have exploded in popularity, with thousands of MCP servers available publicly [\[2\]][glama]. They are often released on open-source software repositories such as GitHub, indexed on hubs specific to MCP servers [\[3\]][mcp-hub][\[4\]][mcp-server-hub], and published to package registries such as NPM. AI agents can also be connected to remotely-hosted tools [\[5\]][remote-mcp]. This creates an environment where malicious tools can proliferate rapidly and safeguards are often not in place.

[koi]: https://www.koi.ai/blog/postmark-mcp-npm-malicious-backdoor-email-theft "First Malicious MCP in the Wild: The Postmark Backdoor That's Stealing Your Emails" [glama]: https://glama.ai/mcp/servers "Glama" [mcp-hub]: https://www.mcphub.ai/ "MCP Hub" [mcp-server-hub]: https://mcpserverhub.com/ "MCP Server Hub" [remote-mcp]: https://mcpservers.org/remote-mcp-servers "Remote MCP Servers"

ATLAS ID: AML.T0010.005
Priority score: 165

Maturity: realized

Mitigations

Defenses that may help against this attack.

No connected defenses. No defense is connected to this attack in the current data.

Case studies

Examples from public reports and exercises.

Supply Chain Compromise via Poisoned ClawdBot Skill

exercise

Date2026-01-26

A security researcher demonstrated a proof-of-concept supply chain attack using a poisoned ClawdBot Skill shared on ClawdHub, a Skill registry for agents. The poisoned Skill contained a prompt injection that caused ClawdBot to execute a shell command that reached the researcher's server. Although the researcher here used this access simply to warn users about the danger, they could have instead delivered a malicious payload and compromised the user's system. The security researcher recorded 16 different users who downloaded and executed the poisoned Skill in the first 8 hours of it being published on ClawdHub.

Poisoned Postmark MCP Server Email Exfiltration

incident

Date2025-09-01

A bad actor successfully exfiltrated emails from users of the Postmark’s MCP server via a supply chain attack. Postmark is an email delivery service that allows organizations to send marketing and transactional emails via API. The Postmark MCP server allows users to interact with Postmark via AI agents.

The bad actor impersonated Postmark, by registering the postmark-mcp package name on npm. They initially published the legitimate versions of the MCP server. After the package became popular and reached over 1,000 downloads per week, the bad actor performed a rugpull and uploaded a malicious version of the package. The malicious version added the bad actor’s email address in the BCC line of all emails sent by the MCP tool. Users who upgraded to this version and continued to use the tool would have all emails exfiltrated to the bad actor.

Data Exfiltration via Remote Poisoned MCP Tool

exercise

Date2025-04-01

Researchers at Invariant Labs demonstrated that AI agents configured with remote Model Context Protocol (MCP) Tools can be vulnerable to model poisoning attacks. They show that an MCP Tool can contain malicious prompts in its docstring description, which is ingested into the AI agent’s context, modifying its behavior.

They demonstrate this attack with a proof-of-concept MCP Tool that instructs the agent to perform additional actions before using the tool. The agent is instructed to read files containing credentials from the victim’s machine and store their contents in one of the input variables to the tool. When the tool runs, the victim’s credentials are exfiltrated to the poisoned MCP server.