Securing AI Agents' Tool Calls with a Firewall

The article discusses the security risks associated with the Model Context Protocol (MCP), which is becoming the standard way for AI agents to interact with external tools. It highlights three key threats: tool poisoning, rug-pull attacks, and cross-server data leakage.

Details

The Model Context Protocol (MCP) is an open standard that allows AI agents to discover and invoke external tools and data sources. Instead of hardcoding API calls, agents can connect to an MCP server that advertises a catalog of tools with descriptions and parameter schemas. This solves the problem of standardized tool integration without bespoke glue code. However, the article highlights three key security risks with this approach. First, the free-form 'description' field of MCP tools can be used to inject hidden instructions that the AI agent will blindly follow, bypassing any user-facing safeguards. This is a form of prompt injection. Second, an MCP server can silently update a tool's description, schema, or behavior after the agent has already approved it, leading to a rug-pull attack. Third, when an agent connects to multiple MCP servers, there are no safeguards to prevent data from one server being sent to another, leading to cross-server data leakage. The article provides specific guidance on how to detect and mitigate these threats, including sanitizing tool descriptions, fingerprinting tool definitions, and implementing access controls between MCP servers.