Tool Chain Exploitation
T11 · Agentic & Orchestrator Exploitation →Agentic frameworks (ReAct, AutoGPT, LangChain, MCP-connected assistants) expose a registry of tools — file I/O, shell, database, HTTP, code execution — that the model invokes by emitting structured calls. The core gap is excessive agency combined with no semantic gate on the *composition* of tools: each tool may be individually reasonable, but the model is free to chain them into a kill-chain (read secret → email it out) that no single permission check catches. Tool descriptions are themselves part of the prompt, so MCP tool poisoning (Invariant Labs reported 84.2% ASR on GPT-3.5-turbo) lets a malicious or rug-pulled tool inject instructions that steer the agent toward dangerous calls without ever being explicitly invoked.
- Audit every tool call: tool name, arguments, invoking instruction source, and the observation returned
- Detect sensitive *sequences* (read-secret → network-send, get-creds → use-creds) rather than only individual high-risk calls
- Hash and pin approved MCP tool descriptions; alert on post-approval description changes (rug-pull detection)
- Monitor for unbounded recursion / call-rate spikes and enforce per-task call budgets
Tool-chain abuse is the execution layer beneath most other T11 techniques: T11-AP-002G feeds directly into T11-AT-008 (credential harvesting) and T11-AT-011 (exfiltration), T11-AP-002I bridges to T11-AT-013 (supply chain), and code execution (T11-AP-002F) enables T11-AT-009 persistence and T11-AT-015 replication. Entry is commonly via T1 prompt injection or T13 supply-chain MCP tool poisoning that ships a malicious tool description.