AI Agent Security Has a Runtime Blind Spot, and Most Scanners Still Miss It What happened: OWASP now classifies MCP Tool Poisoning as its own attack class, and Microsoft Defender's team has already published Plug, Play, and Prey on the same gap. Why it matters: Most agent scanners check prompts, repos, and tool definitions. None of that catches a tool response that behaves like an instruction. My take: If your agent can call external tools and write to anything sensitive, you are probably one poisoned response away from a problem your scanner cannot see. Two weeks ago I wrote about why MCP became the USB port for AI tools . The plug standard worked. The problem now is what flows through the cable. Tool registries like Smithery list more than 7,000 public MCP servers. Every one of them can hand the model free text. Every one of them sits inside the same context window as your filesystem, your inbox, and your write actions. That is the runtime trust gap.…