attack 2025

Automatic Red Teaming LLM-based Agents with Model Context Protocol Tools

Ping He 1, Changjiang Li 2, Binbin Zhao 1, Tianyu Du 1, Shouling Ji 1

1 Zhejiang University

2 Palo Alto Networks

6 citations · 68 references · arXiv
α

Published on arXiv

2509.21011

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

AutoMalTool successfully generates malicious MCP tools that manipulate the behavior of mainstream LLM-based agents while bypassing current detection defenses.

AutoMalTool

Novel technique introduced

The remarkable capability of large language models (LLMs) has led to the wide application of LLM-based agents in various domains. To standardize interactions between LLM-based agents and their environments, model context protocol (MCP) tools have become the de facto standard and are now widely integrated into these agents. However, the incorporation of MCP tools introduces the risk of tool poisoning attacks, which can manipulate the behavior of LLM-based agents. Although previous studies have identified such vulnerabilities, their red teaming approaches have largely remained at the proof-of-concept stage, leaving the automatic and systematic red teaming of LLM-based agents under the MCP tool poisoning paradigm an open question. To bridge this gap, we propose AutoMalTool, an automated red teaming framework for LLM-based agents by generating malicious MCP tools. Our extensive evaluation shows that AutoMalTool effectively generates malicious MCP tools capable of manipulating the behavior of mainstream LLM-based agents while evading current detection mechanisms, thereby revealing new security risks in these agents.

Key Contributions

  • AutoMalTool: an automated framework for generating malicious MCP tools targeting LLM-based agents
  • Systematic red teaming methodology that moves beyond proof-of-concept tool poisoning to automated attack generation
  • Empirical demonstration that generated malicious tools manipulate mainstream LLM agents while evading existing detection mechanisms

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_timetargetedblack_box
Applications
llm-based agentsmcp tool-integrated systems
Read PDF arXiv DOI

Similar Papers

attack

AdapTools: Adaptive Tool-based Indirect Prompt Injection Attacks on Agentic LLMs

2026 0 cit.
100%
attack

Invisible Threats from Model Context Protocol: Generating Stealthy Injection Payload via Tree-based Adaptive Search

2026 0 cit.
100%
attack

STAC: When Innocent Tools Form Dangerous Chains to Jailbreak LLM Agents

2025 4 cit.
100%
attack

MCP-ITP: An Automated Framework for Implicit Tool Poisoning in MCP

2026 1 cit.
100%
attack

Jailbreaking Large Language Models through Iterative Tool-Disguised Attacks via Reinforcement Learning

2026 0 cit.
100%
attack

SkillJect: Automating Stealthy Skill-Based Prompt Injection for Coding Agents with Trace-Driven Closed-Loop Refinement

2026 0 cit.
93%
attack

Cuckoo Attack: Stealthy and Persistent Attacks Against AI-IDE

2025 0 cit.
93%
attack

When Skills Lie: Hidden-Comment Injection in LLM Agents

2026 0 cit.
93%