
Key facts.
- Invariant Labs disclosed MCP tool-description poisoning in 2025: hidden instructions in tool metadata can make an agent read and exfiltrate files while returning a normal response (tool-description poisoning).
- MCPTox benchmarked tool-poisoning attacks across real-world MCP servers (MCPTox, 2025).
- Inter-agent messages are untrusted content to the receiver, so the communication channel needs its own authentication and validation; AgentDojo measures exactly this hijack-via-tool-data surface (AgentDojo, 2024).
Why is the internal channel trusted by default?
A frontier model earns its credit and the agent hallway stays untrusted: a poisoned tool description hijacks the receiver (MCPTox), an incident on a channel. (arXiv:2508.14925)
Because teams secure the perimeter and assume the inside is safe. But the inside is where agents act on each other's words and on tool descriptions they read before calling. A single poisoned tool, or one compromised agent, turns the trusted channel into a delivery mechanism. The fix is to extend zero-trust inward: authenticate agent messages, validate tool metadata before loading, and scan inter-agent content for instruction-like payloads the way you would scan external input.

Trusted internals vs. zero-trust internals
| Trusted internals | Zero-trust internals |
|---|---|
| Inter-agent messages trusted | Messages authenticated and validated |
| Tool descriptions loaded blindly | Tool metadata scanned before use |
| One compromise spreads inside | Compromise contained at the channel |
VibeModel's Pattern Intelligence Layer watches the internal channel for the patterns of poisoning, a tool description that carries hidden instructions, a message that suddenly tries to issue commands, and contains them. You extend zero-trust to the hallway; we recognize the poison as it tries to pass through. The perimeter is not the whole defense.
Frequently asked questions
Do I really need to scan tool descriptions?
Yes. Invariant Labs built mcp-scan for exactly this. A poisoned description is invisible at install and active at runtime.
Isn't internal traffic already inside my trust boundary?
That assumption is the vulnerability. One compromised agent or tool makes the internal channel a delivery path. Validate it.

