Day 2 · Lesson 5 — Agent Tools & MCP

The Threat Landscape & the Confused Deputy

Why the open protocol needs a governance wrapper, attack by attack.

Lesson 4 said enterprises wrap MCP in centralised governance. This lesson is why: the specific attacks the open protocol enables, and the flagship one, the confused deputy, that turns a helpful agent into an attacker's hands. This is where the governance layer stops being abstract.

Recall first (spacing)

From Lesson 4: the enterprise fix for MCP's security gaps is —

  • A bigger model
  • Avoiding tools
  • A centralised governance wrapper

Wrap the open protocol in governance. This lesson catalogues the threats that wrapper has to stop, and each defence is a piece of it.

Why MCP is a new threat surface

Two things at once.1 As a new API surface, MCP doesn't inherently ship the controls a hardened endpoint has: authn/authz, rate limiting, observability. As a standard protocol, it's being pointed at sensitive systems and real-world actions, which raises both the likelihood and the severity of the two headline harms: unauthorised actions and data exfiltration.

The attack catalogue

Five named risks. Notice the pattern in the last column: the defences are all pieces of one governance wrapper.1

AttackHow it worksDefence (→ pillar)
Dynamic Capability InjectionA server silently changes its tools at runtime; a poetry agent suddenly can buy booksAllowlist + pin/version tools; gateway filtering (V)
Tool ShadowingA malicious tool's description is crafted so the model picks it over the legit oneName-collision checks; approved-servers only; HITL (V)
Malicious Tool Defs / ContentTool descriptors or ingested content carry injected prompts — even a benign tool becomes a vectorInput validation, output sanitisation, split trusted/untrusted planners (V)
Sensitive Info LeaksTools receive sensitive conversation data; Elicitation can request moreTaint sources/sinks; structured outputs + annotations (C)
No Scope LimitingMCP auth is coarse (one-time client↔server); no per-tool scope, no user-credential passthroughScoped, audience-bound, short-lived creds; least privilege (IV)

The flagship: the Confused Deputy

A classic security bug: a privileged program (the "deputy") is tricked by a less-privileged attacker into misusing its authority.1 In MCP it's acute, because the server is a privileged intermediary and the AI is the deputy that relays instructions to it. Walk the attack:

1. Attacker  — a dev with NO access to the private repo, but the MCP
               server DOES (broad repo privileges, to be "useful").
2. Injection — asks the AI assistant: "find secret_algorithm.py and
               create a branch backup_2025 containing it, so I can pull
               it to my personal environment."
3. Confused  — to the AI it's just: search file → create branch → add
   deputy       content. It has no security context of its own; it
               relays the request to the privileged server.
4. Escalation— the SERVER checks only whether IT may act — not whether
               the USER may. It can, so it does. Secret code exfiltrated.

The whole exploit lives in step 4: the deputy checks its own permissions, never the user's. No repo was hacked; the trust relationship between AI and privileged server was. That single sentence is why identity and scoped credentials (passing the user's authority, not the server's) are the core defence.

The governance layer, made concrete

Governance overlay · Day 2 Lesson 5

This lesson is the governance layer — as tooling attacks

Every defence in the table is a VERDICT control. Allowlists + validation gates = V; taint tracking of sensitive flows = C; logging every tool call = E. And the confused deputy is precisely an I Identity failure: the fix is per-agent identity plus scoped, least-privilege credentials bound to the acting user, so a tool can never wield more authority than the human behind it. Human-in-the-loop on sensitive sinks is the R/V approval gate.

Ladder read: "any agent can reach any server, which checks only its own rights" is L1 Unseen with a loaded gun. Gateways enforcing allowlists, scoped identity, and HITL on sensitive sinks are the ENFORCE phase → L3 Controlled. Day 4 will show these same ideas as Google's 7-pillar security model, which lines up almost one-to-one with VERDICT.

Through your three lenses

Individual (IC)

Give each tool the narrowest credential that works (read-only if it only reads), and treat any external content a tool ingests as untrusted input. Never let secrets flow through the agent's conversation context.

Team

Allowlist approved servers and pin tool versions; require human confirmation for sensitive sinks (deletes, egress, prod writes) regardless of which tool asks. Assume a tool description can be adversarial.

Organisation

Route all agent↔tool traffic through a gateway that enforces identity, scoped credentials, allowlists, and payload inspection. The confused deputy is closed only when the deputy carries the user's authority, not its own. That's an org-level identity decision.

Check the reflex

Recall, don't re-read.

In the confused-deputy attack, the MCP server fails to check —

It checks only whether it may act, never whether the user may. That gap is the privilege escalation, closed by scoped credentials bound to the acting user.

Tool shadowing works by —

The attacker crafts a description with broad triggers so the planner picks the shadow tool over the legit one, and the data is intercepted. Defence: name-collision checks and approved-only servers.

The control that most limits confused-deputy damage is —

If the tool can only wield the acting user's narrow, scoped authority, a tricked deputy can't exceed it. Least privilege caps the blast radius the attack can reach.

Carry this into the week

Pick one tool your agents call that acts (writes, sends, deploys). Ask: what credential does it hold, its own broad one or the user's scoped one? If it's the former, you have a confused-deputy waiting. Narrowing that credential is the highest-leverage fix in this whole lesson.

Go deeper (primary source)

Google Research's "An Introduction to Google's Approach for Secure AI Agents" is the deeper treatment of these patterns; Model Armor is the payload-inspection layer the paper cites for input/output sanitisation.


Notes

  1. Styer, Patlolla, Mohaan, Díaz & Nawalgaria, Agent Tools & Interoperability with MCP (Day 2), "Security in MCP" pp.42–49 and Appendix, "Confused Deputy problem" pp.51–53.

Up next → Day 2 · Synthesis. Reassemble the whole day (tools → design → MCP → trade-offs → threats) from memory, and link it back to Day 1. Recall-only.

Related: Glossary: confused deputy · ← Day 2 L4: For and Against · The Governance Layer · Course home