Nolixan

Tool-poisoning scanner

Scan MCP tools for hidden instructions, schema abuse, typosquatting, and rug-pulls — before your agent trusts them.

MCP servers can ship tools whose descriptions carry hidden instructions, or that silently change after you've approved them (a "rug-pull"). The tool-poisoning scanner inspects the tools an environment can see and flags the dangerous ones.

Scan

curl "https://your-host/api/v1/governance/tool-scan?environment_id=1" \
  -H "Authorization: Bearer <JWT>"
{
  "flagged_tools": [
    {
      "tool": "send_email",
      "provider": "acme-mcp",
      "fingerprint": "sha256…",
      "severity": "high",
      "findings": [
        { "code": "hidden_instruction", "severity": "high", "detail": "zero-width characters in description" }
      ]
    }
  ]
}

What it detects

  • Hidden instructions — invisible unicode (zero-width, BOM, bidi overrides), HTML/markdown comments, decoded base64/hex payloads, and prompt-injection phrasing inside tool descriptions.
  • Schema abuse — oversized (>20 KB) or over-deep (>8 levels) schemas, >100 properties, suspicious description fields engineered to manipulate the model.
  • Typosquatting — tool names within a small edit distance of well-known tools.
  • Rug-pulls — a content fingerprint (name + description + canonical schema) that changed after the tool was first seen.

Severity & fail-closed

Findings are graded oklowmediumhighcritical. If the scan itself errors on a tool, that tool is flagged critical rather than passed — the scanner fails closed.

This control maps to OWASP Agentic ASI-04 (agentic supply-chain) and the OWASP MCP Top-10 — see Compliance. It complements Policies: the scanner tells you which tools not to trust; policy decides what any tool may actually do.

On this page