Here's something that took me a while to fully accept: you can compromise an AI agent without writing a single line of malicious code. No buffer overflows. No exploit payloads. No injected shell commands. The attack surface is a text field — specifically, the natural language description attached to an MCP tool definition. We call it tool poisoning. It's the most dangerous finding we encountered when we scanned 448 MCP servers. And it's the one that existing security tooling is completely blind to. How MCP tool descriptions actually work When an AI agent connects to an MCP server, the first thing it does is read the tool manifest — a structured list of everything the server can do. Tool names, parameters, and a natural language description of what each tool is for and how to use it. The agent uses those descriptions to decide things. Which tool fits this request? How should tools be chained? What parameters make sense? The descriptions are, functionally, instructions from the tool author to the LLM.…