| name | poisoning-triage |
| description | Deep-dive triage and explanation of a specific MCP tool poisoning finding. Trigger when the user says "explain this finding", "why is this flagged", "triage this", "is this a false positive", "what does this mean", or pastes a finding excerpt for review. Also trigger when a scan produces a HIGH or CRITICAL finding and the user wants to understand it. |
Poisoning Triage
Provides human-readable explanation of a specific MCP tool poisoning finding, assesses false positive likelihood, and recommends remediation.
Triage Steps
- Read the finding: category, severity, excerpt, OWASP ID
- Explain what attack class this represents in plain English
- Show what the model would have seen vs what the user saw (the asymmetry)
- Assess false positive likelihood: is this a legitimate complex description or an actual payload?
- If false positive: explain why and suggest adding to allowlist
- If real: explain the blast radius (what could an attacker do with this?)
- Recommend remediation: remove the server, patch the description, or allowlist with justification
False Positive Signals
- Tool is from a well-known OSS project (GitHub stars, maintenance history)
- Directive language is instructional (documentation style) not imperative (command style)
- No credential path references, no secrecy demands, no cross-tool instructions
- Unicode characters are legitimate (non-English tool names, emoji in title fields)
Real Payload Signals
- Imperative verbs targeting the model ("read", "send", "do not tell")
- Credential file paths referenced anywhere in description
- Instructions that reference OTHER tools ("when send_email is called")
- Secrecy demands ("do not mention this", "hide", "without telling the user")
- Base64-encoded content in descriptions
<IMPORTANT> or XML-style directive wrappers
OWASP Agentic Top-10 Reference
- AAI-T01: Memory Poisoning
- AAI-T02: Tool Misuse
- AAI-T03: Privilege Compromise / Scope Escalation
- AAI-T06: Agent Communication Poisoning (tool poisoning)
- AAI-T08: Supply Chain & Dependency Attacks (malicious MCP servers)
Output Format
- Plain English summary (2-3 sentences)
- Attack scenario: what would actually happen if this fired
- False positive assessment: LOW / MEDIUM / HIGH likelihood
- Recommended action: REMOVE / PATCH / ALLOWLIST / MONITOR