Skip to main content

On This Page
← AI News
AI News Security AI Engineering

Securing MCP Servers: Detecting Tool Poisoning and the Lethal Trifecta with ghostprobe

2 min read
Share

These articles are AI-generated summaries. Please check the original sources for full details.

I built a red-team scanner for MCP servers. Then I pointed it at the real ones.

Joe Munene developed ghostprobe to analyze the attack surface of Model Context Protocol (MCP) servers. The tool specifically targets the tool list, where descriptions are injected directly into an agent’s context with high authority.

Why This Matters

While developers often focus on auditing server code, the Model Context Protocol exposes a critical attack surface in how tools are advertised to AI agents. Because models treat tool descriptions as authoritative instructions, a server can smuggle malicious commands through text or invisible Unicode, turning legitimate tools into vectors for data exfiltration.

Key Insights

    • Tool poisoning is a known vulnerability pattern used in CVE-2025-54136 to hide instructions inside harmless-looking tool descriptions.
    • The ‘Lethal Trifecta’ concept (Simon Willison) occurs when a server provides private-data access, an exfiltration sink, and exposure to untrusted content simultaneously.
    • Collaborative platforms like GitHub act as exfiltration sinks; functions such as ‘create_issue’ or ‘push_files’ allow data to leave the trust boundary (Invariant Labs disclosure, 2025).
    • ghostprobe reduces false positives by requiring execution verbs paired with objects rather than relying on simple keywords like ‘system’.

Working Examples

Installing ghostprobe and scanning a live GitHub MCP server via stdio.

pip install "git+https://github.com/joemunene-by/ghostprobe.git" mcp
ghostprobe stdio -- npx -y @modelcontextprotocol/server-github

Scanning a saved tools list dump offline.

ghostprobe scan-file tools.json

Practical Applications

    • Use Case: Security teams using ghostprobe to automatically detect if an MCP server advertises capabilities that enable prompt injection exfiltration.
    • Pitfall: Relying solely on code audits of MCP servers while ignoring the advertised tool list, which allows attackers to influence agent behavior without modifying source code.

References:

Continue reading

Next article

Manual vs. Programmatic 3D Print Pricing: 2026 Tool Comparison

Related Content

Feb 23, 2026

Security Analysis: 174 AI Agent Requests to a Public MCP Server

Analysis of 174 MCP requests reveals that 37.4% of servers lack auth and agents are already attempting credential extraction through social engineering.

Read article
Nov 21, 2025

Introducing SSH Secure Audit: A Lightweight Open-Source SSH Security Scanner for Linux

SSH Secure Audit is a new open-source tool that quickly identifies risky SSH configurations on Linux systems.

Read article
Jun 1, 2026

Evidence-First AI Security: Building the EllipticZero Research Lab

Vladimir Stelmak introduces EllipticZero, a local-first workflow separating AI reasoning from technical evidence in smart-contract security reviews.

Read article