Tool-poisoning scanner
Scan MCP tools for hidden instructions, schema abuse, typosquatting, and rug-pulls — before your agent trusts them.
MCP servers can ship tools whose descriptions carry hidden instructions, or that silently change after you've approved them (a "rug-pull"). The tool-poisoning scanner inspects the tools an environment can see and flags the dangerous ones.
Scan
What it detects
- Hidden instructions — invisible unicode (zero-width, BOM, bidi overrides), HTML/markdown comments, decoded base64/hex payloads, and prompt-injection phrasing inside tool descriptions.
- Schema abuse — oversized (>20 KB) or over-deep (>8 levels) schemas, >100 properties, suspicious description fields engineered to manipulate the model.
- Typosquatting — tool names within a small edit distance of well-known tools.
- Rug-pulls — a content fingerprint (name + description + canonical schema) that changed after the tool was first seen.
Severity & fail-closed
Findings are graded ok → low → medium → high → critical. If the scan itself errors on a tool, that tool is flagged critical rather than passed — the scanner fails closed.
This control maps to OWASP Agentic ASI-04 (agentic supply-chain) and the OWASP MCP Top-10 — see Compliance. It complements Policies: the scanner tells you which tools not to trust; policy decides what any tool may actually do.