Microsoft researchers are flagging a sneaky risk: tiny text blurbs that describe external tools in the Model Context Protocol (MCP) can be weaponized so AI agents quietly hand over company data — and the agent technically never breaks any rules while doing it. In short, a few words in the wrong place can make a helpful assistant into a data mule.
Why this feels like magic (but is actually boring text tricks)
Modern AI agents don’t just answer questions anymore — they can send email, edit calendars, create files, and poke into business systems. To do that safely they call external helpers using MCP, and each helper comes with a short human-readable blurb explaining what it does. The snag: those blurbs are plain text, and text can be turned into secret orders.
Imagine an approved third-party invoice tool whose visible name and summary look fine, but its description hides a quiet instruction to attach the last thirty unpaid invoices and include them in the next request. The agent reads the description as part of its decision-making, follows the hidden instruction, and the data leaves the company — while everything appears normal. Every action looks legitimate: approved tool, allowed endpoint, routine query. The real weakness sits in what researchers call the trust boundary between tools and agents.
This isn’t a hack where the agent is forced to lie or ignore rules. It’s an exploitation of how agents mix tool instructions and data in the same memory. Edit the description and you effectively rewrite what the agent thinks is a valid step — no glitch, no alarm, just bad outcomes.
How to stop your AI helper from becoming a leaky faucet
- Treat every external tool like a supply-chain component: maintain a curated list of approved publishers and avoid “allow all” settings.
- Review tool descriptions like code changes. If a help field suddenly contains anything that reads like a command, kick it back for review.
- Put humans in the loop for sensitive moves. Any action that shares data externally, moves money, or changes accounts should require explicit sign-off.
- Give each agent a distinct identity and monitor it. Log activity, learn what ‘normal’ looks like, and alert on unusual endpoints, unusually large pulls, or odd queries.
- Apply “least agency” as well as least privilege: limit what agents are allowed to do automatically, not just what data they can reach.
These basics work regardless of cloud vendor or security tools — they’re about mindset and process. Also, treat tool descriptions as part of your security model: they are not innocent user-facing copy, they are instructions in disguise.
Researchers have already demonstrated proof-of-concept attacks where tool blurbs stole SSH keys, where malicious issue text exfiltrated repository data, and where an npm package quietly BCC’d emails sent by agents. Benchmarks run on many MCP servers and models have shown surprisingly high success rates for these tricks — the models rarely refuse the injected instructions.
The takeaway: agents are only as trustworthy as the tools you let them touch. Guard the small text fields. Audit the sources. And remember: it’s not the AI going rogue so much as the supply chain whispering the wrong thing into its ear. Keep the whispers out.