Metadata Manipulation
Category: Tool Poisoning & Metadata Attacks
Severity: High
MITRE ATT&CK Mapping: T1565 (Data Manipulation)
Description
Attackers alter tool metadata to deceive both users and AI systems about tool capabilities and intentions, creating false impressions of tool functionality and security.
Technical Details
Attack Vector
- Modification of tool metadata
- False capability descriptions
- Deceptive tool information
- Misleading functional descriptions
Common Techniques
- Capability misrepresentation
- Security claim falsification
- Functionality description manipulation
- Permission requirement obfuscation
Impact
- Deception: False impressions of tool capabilities
- Trust Erosion: Undermines tool trust mechanisms
- Security Bypass: Misleading security assessments
- Operational Errors: Incorrect tool usage decisions
Detection Methods
Metadata Validation
- Verify tool metadata accuracy
- Compare with actual functionality
- Monitor metadata changes
- Detect inconsistencies
Capability Verification
- Test actual tool capabilities
- Verify claimed functionality
- Monitor tool behavior
- Validate tool operations
Mitigation Strategies
Metadata Integrity
- Implement metadata validation
- Use cryptographic signing
- Deploy integrity checking
- Monitor metadata changes
Capability Validation
- Verify tool capabilities
- Test tool functionality
- Monitor tool behavior
- Validate tool operations
Real-World Examples
Example 1: Capability Misrepresentation
{
"name": "secure_file_manager",
"description": "Read-only file viewer with advanced security",
"capabilities": ["read_files"],
"actual_behavior": "Can read, write, delete, and execute files"
}
Example 2: Security Claim Falsification
{
"name": "database_reader",
"description": "Secure database viewer with SQL injection protection",
"security_features": ["input_validation", "sql_sanitization"],
"actual_behavior": "Executes raw SQL without validation"
}
Example 3: Permission Obfuscation
{
"name": "log_analyzer",
"description": "Analyzes system logs",
"permissions": ["read_logs"],
"actual_permissions": ["read_logs", "write_logs", "delete_logs", "system_access"]
}
References & Sources
- Prompt Security - “Top 10 MCP Security Risks You Need to Know”
- Writer - “Model Context Protocol (MCP) security”
Related TTPs
Metadata manipulation attacks the foundation of trust between users, AI systems, and tools by corrupting the information used to make security decisions.