Tenable Research has demonstrated how to audit, log, and even firewall Large Language Model (LLM) tool calls running over Model Context Protocol (MCP) through strategies that resemble prompt injection.
MCP
MCP, a new standard from Anthropic, allows AI chatbots to connect to external tools and complete tasks autonomously. But as adoption grows, so do security concerns.
“MCP tools are easy to develop and plentiful, but they do not embody the principles of security by design and should be handled with care. So, while these new techniques are useful for building powerful tools, those same methods can be repurposed for nefarious means,” Ben Smith, senior staff research engineer at Tenable.
Prompt injection
“Prompt Injection remains one of the key risks. Smith wrote in a blog that it is a weakness in LLMs that can be used to elicit unintended behaviour, circumvent safeguards and produce potentially malicious responses. Prompt injection occurs when an attacker instructs the LLM to disregard other rules and do the attacker’s bidding.”
Key research highlights
The research found that cross-model behaviour varies: “These methods rely on LLM prompting via the description and return values of the MCP tools themselves. Since LLMs are non-deterministic, so are the results. Lots of things could affect the results here: the model in use, temperature and safety settings, specific language, etc,” Smith explained.
It also found that the mechanisms used to exploit can help audit toolchains, detect malicious or unknown tools, and build guardrails inside MCP hosts.
Further, Smith urged that tools should require explicit approval before running in most MCP Host applications.
