Day 2 · Lesson 5 — Agent Tools & MCP
Why the open protocol needs a governance wrapper, attack by attack.
Lesson 4 said enterprises wrap MCP in centralised governance. This lesson is why: the specific attacks the open protocol enables, and the flagship one, the confused deputy, that turns a helpful agent into an attacker's hands. This is where the governance layer stops being abstract.
From Lesson 4: the enterprise fix for MCP's security gaps is —
Wrap the open protocol in governance. This lesson catalogues the threats that wrapper has to stop, and each defence is a piece of it.
Two things at once.1 As a new API surface, MCP doesn't inherently ship the controls a hardened endpoint has: authn/authz, rate limiting, observability. As a standard protocol, it's being pointed at sensitive systems and real-world actions, which raises both the likelihood and the severity of the two headline harms: unauthorised actions and data exfiltration.
Five named risks. Notice the pattern in the last column: the defences are all pieces of one governance wrapper.1
| Attack | How it works | Defence (→ pillar) |
|---|---|---|
| Dynamic Capability Injection | A server silently changes its tools at runtime; a poetry agent suddenly can buy books | Allowlist + pin/version tools; gateway filtering (V) |
| Tool Shadowing | A malicious tool's description is crafted so the model picks it over the legit one | Name-collision checks; approved-servers only; HITL (V) |
| Malicious Tool Defs / Content | Tool descriptors or ingested content carry injected prompts — even a benign tool becomes a vector | Input validation, output sanitisation, split trusted/untrusted planners (V) |
| Sensitive Info Leaks | Tools receive sensitive conversation data; Elicitation can request more | Taint sources/sinks; structured outputs + annotations (C) |
| No Scope Limiting | MCP auth is coarse (one-time client↔server); no per-tool scope, no user-credential passthrough | Scoped, audience-bound, short-lived creds; least privilege (IV) |
A classic security bug: a privileged program (the "deputy") is tricked by a less-privileged attacker into misusing its authority.1 In MCP it's acute, because the server is a privileged intermediary and the AI is the deputy that relays instructions to it. Walk the attack:
1. Attacker — a dev with NO access to the private repo, but the MCP
server DOES (broad repo privileges, to be "useful").
2. Injection — asks the AI assistant: "find secret_algorithm.py and
create a branch backup_2025 containing it, so I can pull
it to my personal environment."
3. Confused — to the AI it's just: search file → create branch → add
deputy content. It has no security context of its own; it
relays the request to the privileged server.
4. Escalation— the SERVER checks only whether IT may act — not whether
the USER may. It can, so it does. Secret code exfiltrated.
The whole exploit lives in step 4: the deputy checks its own permissions, never the user's. No repo was hacked; the trust relationship between AI and privileged server was. That single sentence is why identity and scoped credentials (passing the user's authority, not the server's) are the core defence.
Every defence in the table is a VERDICT control. Allowlists + validation gates = V; taint tracking of sensitive flows = C; logging every tool call = E. And the confused deputy is precisely an I Identity failure: the fix is per-agent identity plus scoped, least-privilege credentials bound to the acting user, so a tool can never wield more authority than the human behind it. Human-in-the-loop on sensitive sinks is the R/V approval gate.
Ladder read: "any agent can reach any server, which checks only its own rights" is L1 Unseen with a loaded gun. Gateways enforcing allowlists, scoped identity, and HITL on sensitive sinks are the ENFORCE phase → L3 Controlled. Day 4 will show these same ideas as Google's 7-pillar security model, which lines up almost one-to-one with VERDICT.
Give each tool the narrowest credential that works (read-only if it only reads), and treat any external content a tool ingests as untrusted input. Never let secrets flow through the agent's conversation context.
Allowlist approved servers and pin tool versions; require human confirmation for sensitive sinks (deletes, egress, prod writes) regardless of which tool asks. Assume a tool description can be adversarial.
Route all agent↔tool traffic through a gateway that enforces identity, scoped credentials, allowlists, and payload inspection. The confused deputy is closed only when the deputy carries the user's authority, not its own. That's an org-level identity decision.
Recall, don't re-read.
In the confused-deputy attack, the MCP server fails to check —
It checks only whether it may act, never whether the user may. That gap is the privilege escalation, closed by scoped credentials bound to the acting user.
Tool shadowing works by —
The attacker crafts a description with broad triggers so the planner picks the shadow tool over the legit one, and the data is intercepted. Defence: name-collision checks and approved-only servers.
The control that most limits confused-deputy damage is —
If the tool can only wield the acting user's narrow, scoped authority, a tricked deputy can't exceed it. Least privilege caps the blast radius the attack can reach.
Pick one tool your agents call that acts (writes, sends, deploys). Ask: what credential does it hold, its own broad one or the user's scoped one? If it's the former, you have a confused-deputy waiting. Narrowing that credential is the highest-leverage fix in this whole lesson.
Google Research's "An Introduction to Google's Approach for Secure AI Agents" is the deeper treatment of these patterns; Model Armor is the payload-inspection layer the paper cites for input/output sanitisation.
Up next → Day 2 · Synthesis. Reassemble the whole day (tools → design → MCP → trade-offs → threats) from memory, and link it back to Day 1. Recall-only.
Related: Glossary: confused deputy · ← Day 2 L4: For and Against · The Governance Layer · Course home