Attack

Claude, MCP & tool poisoning

In Claude Code the most underrated attack isn't the user prompt but the description of a tool: it lands in the very context window Claude reasons over — and can smuggle instructions in there.

~6 min read · Attack

The MCP problem

MCP servers give Claude new tools. Their descriptions flow into the same context as your actual task. A malicious description injects instructions directly into Claude's reasoning — that's called tool poisoning.

Prompt injection via tool descriptions is the most underrated threat in the MCP ecosystem — the description sits in the same context window the model reasons over.

Real-world cases

"One GitHub Issue to break the supply chain": a single manipulated issue was enough to poison Claude Code.

Every coding agent falls

A review of 78 studies (January 2026) tested Claude Code, GitHub Copilot and Cursor — all fell to prompt injection; adaptive attacks landed in over 85% of cases. That's not one vendor's bug but a property of the architecture.

Claude's protection — and its limits

Claude Code ships real safeguards: a permission system, context-aware analysis, input sanitization, a blocklist against risky commands like curl/wget. Good — but permission fatigue, new bypasses, and above all the persistent layer in ~/.claude (skills, MCP configs, memory) remain exposed.

How PoisonZero complements it

Claude's guardrails check the single prompt in the moment. PoisonZero secures what gets persistently stored:

Related: Prompt Injection, Skills as the entry point and Poisoned Pipeline Execution.

Secure Claude's persistent layer.

PoisonZero monitors ~/.claude, MCP configs and memory — and rolls back poisoned writes fail-closed.

Try 14 days free

Read next: Prompt injection explained · Skills as the entry point · Poisoned Pipeline Execution

All articles