Research shows MCP tool descriptions can guide AI model behavior for logging and control – News

New research published today from Tenable Inc. examines how prompt injection techniques in Anthropic PBC’s Model Context Protocol can be harnessed not just for exploitation, but also for strengthening security, compliance and observability in artificial intelligence agent environments.

MCP is a framework developed by Anthropic that allows large language models to interface dynamically with external tools and services. The protocol’s popularity has grown rapidly as it allows for the creation of agentic AI systems — autonomous agents that can perform complex, multistep tasks by calling tools through structured, modular application programming interfaces.

In the new research, Tenable’s research demonstrates how MCP’s tool descriptions, which are normally used to guide AI behavior, can be crafted to enforce execution sequences and insert logging routines automatically. The researchers were able to prompt some large language models to run it first by embedding priority instructions into a logging tool’s description before executing any other MCP tools, capturing details about the server, tool and user prompt that initiated the call.

The experiment revealed variations in how LLMs respond to these embedded instructions. Models such as Claude Sonnet 3.7 and Gemini 2.5 Pro were found to be more consistent in following the enforced order, while GPT-4o showed a tendency to hallucinate or produce inconsistent logging data, likely due to differences in how it interprets tool parameters and descriptions.

In another test, Tenable created a tool designed to filter and block specific MCP tools by name, functioning sort of like a policy firewall. When the AI was instructed to call this tool first, it could prevent the use of certain functions, such as a “get_alerts” tool, by returning a simulated policy violation message.

The researchers also experimented with introspection tools that asked the AI to identify other MCP tools that might be configured to run first. While results did vary, some models returned names of other inline tools, suggesting that MCP hierarchies can, in some cases, be inferred by leveraging prompt-driven tool chaining. The research notes that the technique could be valuable for threat detection or reverse-engineering tool configurations.

Another experiment attempted to extract the system prompt used by the LLM itself by embedding a request in the tool description. Though the accuracy of the returned text couldn’t be fully verified, the models did return structured results, sometimes repeating system-like language, that could provide insight into how the AI interprets its operational environment.

The findings are interesting as they highlight both the flexibility and fragility of agentic AI systems built on MCP.

As organizations increasingly deploy autonomous agents to handle sensitive workflows, understanding how these systems interpret and act on tool instructions becomes critical. Tenable’s research notes that even subtle manipulations of tool descriptions can lead to unpredictable or exploitable behavior. And yet, when applied responsibly, the same mechanisms can improve logging, compliance and control.

“MCP is a rapidly evolving and immature technology that’s reshaping how we interact with AI,” Ben Smith, senior staff research engineer at Tenable, told News via email. “MCP tools are easy to develop and plentiful, but they do not embody the principles of security by design and should be handled with care.”

As a result, he added, “while these new techniques are useful for building powerful tools, those same methods can be repurposed for nefarious means. Don’t throw caution to the wind; instead, treat MCP servers as an extension of your attack surface.”

Image: News/Reve