Technical description
Research shows 43% of publicly reachable MCP servers are exploitable for command execution; ~21,000 exposed AI agent instances detected. Attackers inject instructions into MCP tool metadata (descriptions, parameters) that agents implicitly trust. The OpenClaw class of attacks hijacks developer agents via implicit localhost trust.
Attack vector
Malicious metadata in tool descriptions; poisoned tool outputs embedding hidden instructions; web-based exploitation of localhost trust; supply-chain compromise of MCP tool libraries.
Affected systems
Agentic AI deployments using MCP or similar tool-calling frameworks, especially developer environments and enterprise assistants with broad tool access.
Mitigation
Harden MCP server implementations; audit/sandbox tool metadata; enforce instruction/data boundaries; remove implicit localhost trust; require explicit authorisation for privileged tools; monitor tool-call anomalies.