Why it matters
Report on Microsoft research showing that poisoned MCP tool descriptions can influence agents into leaking data while each individual step appears routine. The issue is important because tool metadata is model context, and model context can become an instruction channel if it is not treated as untrusted input.
My takeaway: MCP tool descriptions and other tool metadata need provenance, review, and isolation. Agents should not blindly trust instructions embedded in tool descriptions, retrieved content, or integration metadata.