ShareLock: A Stealthy Multi-Tool Threshold Poisoning Attack Against MCP

📅 2026-06-25
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the vulnerability of single-tool poisoning attacks in multi-tool collaborative scenarios under the Model Context Protocol (MCP), where such attacks are easily detected due to the absence of systematic stealth mechanisms. To overcome this limitation, the authors propose a threshold-based multi-tool poisoning framework grounded in Shamir’s secret sharing scheme. The approach decomposes malicious instructions into innocuous secret shares, which are embedded across multiple tool descriptions and later reassembled into a complete attack payload on the server side via a covert trigger. This method achieves, for the first time, information-theoretic security in multi-tool collaborative poisoning. Evaluated across four representative scenarios and two mainstream MCP clients, it attains an average attack success rate exceeding 90%, significantly outperforming existing techniques while offering high stealthiness, fault tolerance, and robustness against both manual and automated detection.
📝 Abstract
With the rapid evolution of LLM-driven agents, Model Context Protocol (MCP), an open protocol bridging LLMs with external tools, has quickly become foundational to modern agent ecosystems. However, the expanding adoption of MCP has also introduced novel security concerns such as Tool Poisoning Attack (TPA), which exploit LLM-server interactions to inject malicious prompts. Existing poisoning schemes typically adopt a monolithic plaintext embedding paradigm, which fails to withstand manual inspection or automated detectors. Current research still lacks a systematic analysis on multi-tool poisoning, where multiple tools can be exploited cooperatively to disperse detection risk. In this paper, we introduce ShareLock, a multi-tool threshold poisoning framework that utilizes Shamir's threshold scheme to ensure exceptional stealth and fault tolerance. ShareLock distributes the malicious instruction as benign-looking secret shares across multiple tool descriptions, achieving both information-theoretic secrecy and attack robustness against moderate auditing. After a covert reconstruction trigger is planted during server update, the aggregated shares reconstruct the hidden instruction, resulting in critical breaches of system assets or private data. To evaluate the realistic threat of ShareLock, we constructed a comprehensive benchmark encompassing four multi-tool scenarios and conducted extensive experiments across mainstream LLMs on two distinct MCP clients. Our results demonstrate that ShareLock significantly outperforms existing single-tool poisoning strategies in tool description-based detection while maintaining an average attack success rate exceeding 90%.
Problem

Research questions and friction points this paper is trying to address.

Tool Poisoning Attack
Multi-Tool
MCP
Stealthy Attack
Threshold Scheme
Innovation

Methods, ideas, or system contributions that make the work stand out.

threshold poisoning
multi-tool attack
Shamir's secret sharing
Model Context Protocol
stealthy attack
🔎 Similar Papers
2023-02-05arXiv.orgCitations: 5