DEV Community

Michael "Mike" K. Saleme
Michael "Mike" K. Saleme

Posted on

Two agent-tool attacks, one lesson: detection has a ceiling, enforceable authority has a floor

Two agent-tool security papers landed in June. Read together, they expose the boundary between semantic detection and enforceable control.

A common response to malicious agent tools is to scan tool descriptions: inspect the text an agent is about to trust, decide whether it appears malicious, and block it if so.

ShareLock shows where that approach ends.

The technique splits a single malicious instruction into benign-looking shares using a Shamir threshold scheme, and embeds one share per tool description. Below the reconstruction threshold, a scanner cannot recover the malicious instruction from the share contents. The full instruction reconstructs only once enough shares are aggregated in the agent's context. The reported result is an average attack success rate exceeding 90% — ASR@3, across four models and two MCP clients (arXiv 2606.27027).

Be precise about what that proves. Information-theoretic secrecy protects the underlying secret below the threshold. It does not make every artifact undetectable, and it does not defeat a system that correlates the complete tool set. What it exposes is the ceiling of evaluating each tool description independently.

The second paper shows what enforceable control looks like at runtime.

WebMCP Tool Surface Poisoning (MSTI) attacks the tool registry at runtime. A third-party script fires a legitimate tool's AbortController to unregister it, then re-registers a malicious tool under the identical name before first invocation — or wins a registration race so the agent only ever sees the malicious version. AbortSignal hijacking reached 94% success; the registration race, 100% across every model tested (arXiv 2606.06387).

The paper's defense has two parts, and the distinction matters. Origin-bound, immutable tool identity stops substitution and lifecycle attacks — a malicious script cannot become a trusted tool merely by reusing its name, because validation happens on the identity bound to origin, not the public name. Capability and data-flow enforcement then limit what even a legitimately identified tool may receive or do. Together, those defenses reduced attack success to zero under the paper's tested conditions.

That is the durable lesson from the two papers. Content detection remains useful, but probabilistic. Tool identity, lifecycle integrity, and capability boundaries provide properties the runtime can enforce even when semantic inspection is uncertain.

The exposed surface here is not a weak scanner. It is an agent that trusts the tool set it was handed and never checks which tool it is calling, or what that tool is allowed to touch.

Detection asks what the tool says. Authority verification asks which tool this is — and what it is permitted to receive and do. The second question can still be enforced after the first becomes uncertain.

Top comments (0)