The channel between your agents is an attack surface too

You secured the front door. The agents talk to each other through a hallway you left unwatched, and that is where the next breach walks in.

B

Balagei G Nagarajan

3 MIN READ


Two agents communicating through a channel with an attacker intercepting and poisoning a message

Key facts.

  • Invariant Labs disclosed MCP tool-description poisoning in 2025: hidden instructions in tool metadata can make an agent read and exfiltrate files while returning a normal response (tool-description poisoning).
  • MCPTox benchmarked tool-poisoning attacks across real-world MCP servers (MCPTox, 2025).
  • Inter-agent messages are untrusted content to the receiver, so the communication channel needs its own authentication and validation; AgentDojo measures exactly this hijack-via-tool-data surface (AgentDojo, 2024).
One compromised agent or tool makes the internal channel a delivery path.
— from "The channel between your agents is an attack surface too"

Why is the internal channel trusted by default?

A frontier model earns its credit and the agent hallway stays untrusted: a poisoned tool description hijacks the receiver (MCPTox), an incident on a channel. (arXiv:2508.14925)

Because teams secure the perimeter and assume the inside is safe. But the inside is where agents act on each other's words and on tool descriptions they read before calling. A single poisoned tool, or one compromised agent, turns the trusted channel into a delivery mechanism. The fix is to extend zero-trust inward: authenticate agent messages, validate tool metadata before loading, and scan inter-agent content for instruction-like payloads the way you would scan external input.

Swimlane diagram showing message and tool-metadata channels between agents with validation checkpoints inserted

Trusted internals vs. zero-trust internals

Trusted internalsZero-trust internals
Inter-agent messages trustedMessages authenticated and validated
Tool descriptions loaded blindlyTool metadata scanned before use
One compromise spreads insideCompromise contained at the channel

VibeModel's Pattern Intelligence Layer watches the internal channel for the patterns of poisoning, a tool description that carries hidden instructions, a message that suddenly tries to issue commands, and contains them. You extend zero-trust to the hallway; we recognize the poison as it tries to pass through. The perimeter is not the whole defense.

Frequently asked questions

Do I really need to scan tool descriptions?
Yes. Invariant Labs built mcp-scan for exactly this. A poisoned description is invisible at install and active at runtime.

Isn't internal traffic already inside my trust boundary?
That assumption is the vulnerability. One compromised agent or tool makes the internal channel a delivery path. Validate it.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.