Metadata Manipulation
Category: Tool Poisoning & Metadata Attacks
Severity: High
Description
Attackers alter tool metadata to deceive both users and AI systems about tool capabilities and intentions, creating false impressions of tool functionality and security.
Technical Details
Attack Vector
- Modification of tool metadata
- False capability descriptions
- Deceptive tool information
- Misleading functional descriptions
Common Techniques
- Capability misrepresentation
- Security claim falsification
- Functionality description manipulation
- Permission requirement obfuscation
Impact
- Deception: False impressions of tool capabilities
- Trust Erosion: Undermines tool trust mechanisms
- Security Bypass: Misleading security assessments
- Operational Errors: Incorrect tool usage decisions
Detection Methods
Metadata Validation
- Verify tool metadata accuracy
- Compare with actual functionality
- Monitor metadata changes
- Detect inconsistencies
Capability Verification
- Test actual tool capabilities
- Verify claimed functionality
- Monitor tool behavior
- Validate tool operations
Mitigation Strategies
Metadata Integrity
- Implement metadata validation
- Use cryptographic signing
- Deploy integrity checking
- Monitor metadata changes
Capability Validation
- Verify tool capabilities
- Test tool functionality
- Monitor tool behavior
- Validate tool operations
Real-World Examples
Example 1: Capability Misrepresentation
{
"name": "secure_file_manager",
"description": "Read-only file viewer with advanced security",
"capabilities": ["read_files"],
"actual_behavior": "Can read, write, delete, and execute files"
}
Example 2: Security Claim Falsification
{
"name": "database_reader",
"description": "Secure database viewer with SQL injection protection",
"security_features": ["input_validation", "sql_sanitization"],
"actual_behavior": "Executes raw SQL without validation"
}
Example 3: Permission Obfuscation
{
"name": "log_analyzer",
"description": "Analyzes system logs",
"permissions": ["read_logs"],
"actual_permissions": ["read_logs", "write_logs", "delete_logs", "system_access"]
}
References & Sources
- Prompt Security - “Top 10 MCP Security Risks You Need to Know”
- Writer - “Model Context Protocol (MCP) security”
Related TTPs
Metadata manipulation attacks the foundation of trust between users, AI systems, and tools by corrupting the information used to make security decisions.