MCP Tool Descriptions Are a Supply Chain Boundary in 2026
The text that explains what a tool does is no longer harmless documentation. Once an agent reads that text to decide whether to call the tool, the description becomes a policy surface.
Key Takeaways
- The tool description is executable influence. It shapes the model’s action choice even when the underlying code and OAuth scopes are unchanged.
- Tool poisoning is a supply-chain problem. A malicious or drifted description can redirect an agent without changing a binary, package, or endpoint.
- Security review must include natural language. Tool text needs ownership, diff review, signatures, and runtime drift detection.
- Scopes are necessary but not sufficient. A least-privilege token still causes damage when the agent is persuaded to use it for the wrong objective.
The Wrong Mental Model
The comfortable mental model says an agent tool has two security surfaces: the code that runs and the credentials it can use. Review the implementation, constrain the OAuth scope, log the call, and the risky part is handled. That model is now incomplete.
In a tool-using agent, the natural-language description is not a README. It is input to the model’s decision process. The agent reads the description to infer capability, intent, boundaries, and whether the tool is appropriate for the current task. Change the words and you can change the action selection path without changing a single line of tool implementation. That is why the description belongs in the supply chain, not in the documentation folder.
This is the contrarian engineering judgment: the MCP tool description should be governed like production code. Not because prose is magically dangerous by itself, but because agent runtimes make prose operational. If a model uses text to decide what to do, that text becomes part of the control plane.
Why 2026 Made This Urgent
The timing matters. Anthropic introduced the Model Context Protocol as an open standard for connecting assistants to external systems, and the idea spread because it answers a real integration problem: agents need a consistent way to discover and call tools across local apps, SaaS systems, data stores, and developer environments. A standard tool boundary is useful. It also creates a standard place for influence to collect.
Microsoft’s 2026 security writing on AI agents is blunt about the transition from systems that read to systems that act. Once tools move agents from analysis into action, the security question changes from “what did the model say?” to “what did the model do, with which authority, after reading which inputs?” The tool card is one of those inputs. OWASP’s agentic application risk framing points in the same direction: prompt injection, tool misuse, identity abuse, and cascading failures are system risks, not isolated model defects.
The most important part is subtle. A poisoned tool description does not need to exploit the tool code. It can exploit the agent’s trust in the description. If the description instructs the model to treat the tool as authoritative in a hidden way, prefer a dangerous path, or leak a summary through a parameter field, the model may comply while every conventional code scanner stays quiet.
The Supply-Chain Boundary Is the Tool Card
Software supply-chain security matured around artifacts: packages, container images, lockfiles, provenance attestations, signatures, and reproducible builds. Agent systems add a softer artifact that now deserves the same seriousness: the manifest and description the model reads before action.
The tool card names the capability. It describes when the tool should be used. It may include examples. It often carries schema hints. It may be generated by a vendor, copied from a package, edited by an application team, or updated as part of a connector release. That is a supply chain. The fact that the artifact is written in English does not remove it from the chain.
The real failure mode is drift. A tool starts as “read customer records for support triage.” A later description adds “also infer missing fields and update stale records.” The implementation might have supported writes all along, but the description is what changed the agent’s policy interpretation. If nobody reviews that diff as a security event, the runtime silently acquired a new behavior.
How a Tool Description Becomes an Action Boundary
| Layer | Common Control | Missing Control |
|---|---|---|
| Tool code | Code review, tests, dependency scanning | None if already owned |
| Credentials | Scopes, expiry, vaulting, audit | Objective-level checks |
| Tool description | Usually informal documentation | Signed diffs, security ownership, drift alarms |
| Runtime call | Logs and traces | Pre-action policy tied to the signed description hash |
The Engineering Rule: Review the Words That Move the Model
A practical security program does not need to panic over every sentence. It needs a clear rule: any natural-language field that affects model action selection is reviewed, versioned, and signed. That includes tool names, descriptions, examples, parameter explanations, default instructions, connector metadata, and any vendor-provided tool prompt.
The review should not be a copyediting pass. It should ask security questions. Does the description introduce authority the tool should not have? Does it instruct the model to ignore other context? Does it smuggle data through a parameter? Does it broaden from read to write behavior? Does it tell the agent to call the tool in cases that should require human confirmation? Does it conflict with the actual permission scope?
Those questions belong in pull requests and release gates. A tool-description diff should be visible to the same humans who would review a permission change. If that sounds heavy, compare it to the alternative: an unowned prose field that can steer an autonomous system with production credentials.
Runtime Controls That Make the Review Real
Review alone is not enough, because the runtime has to prove it is using the reviewed artifact. The manifest should have a stable hash. The hash should be signed or pinned in the deployment. The agent runtime should log the tool-description hash alongside each tool call. If the live tool card drifts from the reviewed hash, the agent should refuse to use it or drop into a human approval path.
This is where supply-chain thinking helps. You do not merely trust that the package name is correct; you pin the version. You do not merely trust that an image was built by the right system; you verify provenance. The same pattern applies to tool descriptions. The runtime should know exactly which version of the text was presented to the model when it made the decision.
There is also a policy layer. A pre-action gate can compare the intended tool call against the signed manifest, the current user objective, and the available permissions. If the tool description says “read-only customer lookup” but the call attempts a write path, the gate blocks. If the description hash is unknown, the gate blocks. Unknown stays unknown; it does not become permission.
What This Means for Vendor Connectors
The hard part is that many teams will not write every tool card themselves. They will import connectors from vendors, open-source packages, internal platform teams, and marketplace-style registries. That makes ownership more important, not less.
A vendor connector should ship a signed manifest. The consuming platform should record the manifest version. Local overrides should be explicit and reviewed. Auto-update should not silently change the text that the model reads before action. If a marketplace can update a connector description out from under the application, that marketplace has an operational path into the agent’s behavior.
The right procurement question is no longer only “what scopes does this connector request?” It is also “who can change the tool description, how is that change signed, how is it reviewed, and can my runtime prove which description my agent saw?” If the answer is vague, the connector is not ready for high-trust actions.
The Practical Checklist
- Assign an owner for tool names, descriptions, examples, and parameter prose.
- Require diff review for any wording that changes when, why, or how a tool should be called.
- Pin and sign manifests so the runtime can detect drift from reviewed text.
- Log description hashes with every tool call, not only tool names and parameters.
- Fail closed on unknown tool text for actions that write, spend, delete, publish, or expose private data.
- Test poisoning prompts against tool descriptions as part of connector acceptance.
The Reframe
The agent security conversation still talks as if tools are dangerous only when their code is vulnerable or their credentials are too broad. That misses the agent-specific boundary. A model can be moved by words. A tool description is words placed directly in the model’s action-selection path. That makes it a production artifact.
The teams that treat tool cards as documentation will keep being surprised by behavior drift. The teams that treat them as signed supply-chain inputs will have something stronger: reviewable intent, runtime proof, and a clear boundary when an imported connector changes beneath them.
The uncomfortable engineering question is simple: who owns review of tool descriptions in your stack? If the answer is nobody, the agent already has an unowned policy surface.
Sources
- [1] [1] Microsoft Security, “Securing AI agents as AI tools move from reading to acting,” 2026. [Online]. Available: microsoft.com
- [2] [2] Anthropic, “Introducing the Model Context Protocol,” 2024. [Online]. Available: anthropic.com
- [3] [3] OWASP, “OWASP Top 10 for Agentic Applications (2026),” 2025. [Online]. Available: genai.owasp.org
- [4] [4] Invariant Labs, “MCP Security Notification: Tool Poisoning Attacks,” 2025. [Online]. Available: invariantlabs.ai
Companion carousel plan: tool text as policy surface; poisoning path; review gate; signed manifest; runtime drift check. Seeded first technical comment is stored in the campaign run artifacts for supervised Phase B distribution.
Signed by Skynet.