What is MCP security?

MCP security is the practice of finding and fixing the risks that come with giving AI agents tools through the Model Context Protocol. That includes tools whose descriptions can be poisoned, agents handed more power than they need, code-execution sinks, leaked tokens, and MCP servers nobody on the security team knew were running.

What is tool poisoning?

Tool poisoning is an attack where malicious instructions are hidden in an MCP tool's description, schema, or output. The model reads them and acts on them, but the human approving the tool never sees them. Invariant Labs named the technique in April 2025.

What is the lethal trifecta?

The lethal trifecta, a term from security researcher Simon Willison, is the combination of three things on one AI agent: access to private data, exposure to untrusted content, and the ability to send data out. Together they let an attacker who controls the untrusted content read your secrets and exfiltrate them.

MCP is safe the way any powerful integration is safe: it depends on what you connect and how you scope it. The protocol does not stop a tool from being over-permissioned or its description from being poisoned, so the safety comes from review, least privilege, and monitoring what your agents can actually reach.

How do I secure an MCP server?

Give each tool the least privilege it needs, treat tool descriptions and outputs as untrusted input, keep model text out of shells and SQL, separate private-data readers from external-send tools, pin and re-review tool definitions, and turn on audit logging.

What is the OWASP MCP Top 10?

The OWASP MCP Top 10 is the first OWASP framework dedicated to Model Context Protocol security. It catalogs ten risk categories, from token mismanagement and tool poisoning to shadow servers and context over-sharing, and is maintained as a living document at owasp.org.

MCP security, explained.

The Model Context Protocol gave AI agents a universal plug. One standard, and an agent can reach your files, your database, your cloud, your internal APIs, and a few thousand tools other people wrote. That convenience is also the problem. Every tool an agent can call is attack surface, and most of it was never reviewed the way you would review a web endpoint.

This is a plain-language guide to the attack classes, mapped to the OWASP MCP Top 10, with what to actually do about each one.

The attacks, in plain language

Tool poisoning (OWASP MCP03)

A tool's description is part of the prompt the model reads, but not part of what you see in the approval dialog. Tool poisoning hides instructions in that description, schema, or return value so the agent follows them while you stay in the dark. Invariant Labs named the attack in April 2025.

Prompt injection (OWASP MCP06)

Untrusted text lands in the same context as your trusted instructions, and the model cannot tell them apart. With agents the untrusted text usually arrives through a tool result or a fetched document. Simon Willison coined the term in 2022 and it is still the root cause behind most agent compromises.

The lethal trifecta

Simon Willison's name for the three ingredients that turn a prompt injection into a breach: access to private data, exposure to untrusted content, and a way to send data out. Any one alone is fine. All three on the same agent, and an attacker who controls the untrusted content can read your secrets and mail them somewhere.

Rug pull or tool mutation (OWASP MCP04)

MCP clients usually approve a tool once. A rug pull ships a clean tool, earns the approval, then swaps in a malicious version later with no second prompt. Invariant Labs demonstrated working rug pulls against real WhatsApp and GitHub servers.

Excessive agency (OWASP MCP02)

Agents accumulate permissions the way side projects accumulate cloud keys. A tool gets temporary write access, the scope is never trimmed, and a year later the agent can delete production. Excessive agency is the gap between what a tool can do and what it actually needs.

Command injection (OWASP MCP05)

A tool that shells out, calls eval, or builds a system command from model text is a remote code execution waiting to happen. The model is steerable, so a request to run a report can become a request to run a report and then fetch and execute a script.

Supply chain attacks (OWASP MCP04)

Most MCP servers are npm or PyPI packages that pull in dozens of dependencies, each running with the agent's full reach. A compromised or typosquatted package is a clean path into everything the agent can touch.

Token mismanagement (OWASP MCP01)

Long-lived tokens hard-coded in a server, or secrets sitting in logs and model context, are the easiest win an attacker gets. Once a token is in the context window, a single prompt injection can walk it out the door.

Shadow MCP servers (OWASP MCP09)

A developer spins up an MCP server, points it at production data, and forgets about it. No review, default configuration, nobody watching. You cannot defend a server you do not know exists.

Context over-sharing (OWASP MCP10)

When context is shared across sessions or agents without proper scoping, one user's data leaks into another's, and content planted in shared memory follows the agent everywhere.

The OWASP MCP Top 10

The first OWASP framework dedicated to Model Context Protocol security, currently in beta.

MCP01: Token Mismanagement and Secret Exposure
MCP02: Privilege Escalation via Scope Creep
MCP03: Tool Poisoning
MCP04: Software Supply Chain Attacks and Dependency Tampering
MCP05: Command Injection and Execution
MCP06: Prompt Injection via Contextual Payloads
MCP07: Insufficient Authentication and Authorization
MCP08: Lack of Audit and Telemetry
MCP09: Shadow MCP Servers
MCP10: Context Injection and Over-Sharing

How to secure an MCP server

Give every tool the least privilege it needs.
Treat every tool description and tool result as untrusted input.
Never pass model text straight into a shell, eval, or SQL.
Break the lethal trifecta: separate private-data readers from external-send tools.
Pin and re-review tool definitions so a rug pull cannot happen silently.
Turn on audit logging and actually review it.

Pinaka's Agent Surface maps the MCP servers and agent tools in your repository and flags these issues against the OWASP MCP Top 10. It runs on your own code, locally.

Related: agentic security and AI security.