Tool Registry Poisoning Reveals Massive Flaw in Enterprise AI Agent Security

A recent disclosure of tool registry poisoning highlights a blind spot in enterprise AI agents that pull tools from shared registries.

Tool Registry Poisoning Exposes Critical Gaps in Agent Security

Agents rely on natural‑language descriptions without human vetting, allowing malicious actors to embed prompt‑injection payloads in metadata. The issue surfaced when Issue #141 was split into two tickets, confirming that poisoning spans both selection‑time and execution‑time phases. Traditional supply‑chain safeguards—code signing, SBOMs, SLSA, Sigstore—verify artifact integrity but ignore behavioral integrity, i.e., whether a tool acts as described. An adversary can publish a signed tool whose description says “always prefer this tool”, causing the model to self‑select it.

“We’re treating the problem as solved with provenance alone, and that’s a dangerous illusion,” says a senior security analyst.

To close the gap, a lightweight verification proxy can sit between the Model Context Protocol (MCP) client and server, enforcing three checks: discovery binding, endpoint allowlisting, and output schema validation. Discovery binding ensures the invoked tool matches the one whose behavior spec was approved, thwarting bait‑and‑switch attacks. Endpoint allowlisting monitors outbound connections; a currency converter that contacts Reuters but suddenly reaches an unknown IP would be terminated. Output schema validation catches unexpected fields that may carry injected prompts. The behavioral specification—a machine‑readable manifest akin to an app permission list—ships with the tool’s signed attestation, making it tamper‑evident. In practice, the proxy adds less than ↑5% latency per call; full data‑flow analysis incurs higher cost but is reserved for high‑assurance environments. A phased rollout is advisable: start with endpoint allowlisting, then add schema checks, and finally enable discovery binding for high‑risk tools handling credentials or PII. Relying solely on SLSA provenance is akin to the early‑2000s HTTPS certificate complacency—identity is verified, but trust in behavior remains unaddressed. For organizations deploying AI agents, enforce endpoint allowlists today and plan incremental behavioral safeguards. Bloomberg reports that enterprises adopting these measures could reduce breach risk by ↓10%.