Google Publishes WebMCP Agent Security Guidance — Malicious Manifests and Contaminated Tool Outputs as Primary Attack Vectors with Deterministic and Probabilistic Countermeasures

Google's Chrome developer team published 'Agent security considerations for WebMCP' on June 9, 2026, naming two primary attack vectors for browser-based AI agents: (1) malicious manifests — tool definitions with hidden instructions in names, parameters, or descriptions designed to hijack the agent; and (2) contaminated outputs — trusted tools returning third-party content containing injected instructions. The guidance provides a defense-in-depth framework split into deterministic guardrails (token limits, untrustedContentHint acknowledgment, cross-origin restriction, user confirmation for state-changing actions) and probabilistic guardrails (spotlighting via delimiters or Base64 encoding, prompt-injection classifiers, critic models for intent alignment and data minimization). A companion page on WebMCP tool security provides specific character budget recommendations and API patterns for origin-scoped tool exposure.

WebMCP is now in origin-trial in Chrome 149 and will move to stable; the security threat surface it introduces — authenticated browser-session agents that can be hijacked via tool metadata — is new and not covered by existing prompt-injection defences. This guidance is the only published primary-source framework specifically addressing the dynamic tool-surface risks inherent to browser agents, and represents a practical implementation baseline that developers should adopt immediately as they build or deploy WebMCP-enabled products.

Distribute Google's WebMCP security guidance to any team building browser-embedded agents or Chrome extensions using WebMCP; mandate the four deterministic guardrails (token limits, untrustedContentHint, cross-origin restriction, state-change confirmation) as a minimum deployment checklist before any WebMCP-based agent ships to production.