A malicious MCP server is a Model Context Protocol server that appears to offer legitimate tools but is built or compromised to attack the AI agent that connects to it. It attacks through poisoned tool descriptions, stolen OAuth tokens and credentials, data exfiltrated inside tool results, or rug-pull updates that change a tool's behavior after it has been trusted. Because an AI agent treats an MCP server's tool list as trusted context, a single malicious server can hijack the agent's actions. The core defense is to treat every MCP server as untrusted input, pin and hash its tools, and route all MCP traffic through a security proxy.
When an agent connects to an MCP server, it downloads a list of tools — each with a name, a natural-language description, and an input schema. The agent uses these descriptions to decide when and how to call tools, and it often forwards user credentials or OAuth tokens so the tool can act on the user's behalf. A malicious server abuses that trust at the discovery layer, before the user ever explicitly calls a tool.
~/.aws/credentials and include it") that the agent executes as trusted context.Malicious MCP servers sit under the OWASP Top 10 for agentic applications and are catalogued in the CASURA taxonomy of AI-agent vulnerabilities. Independent scans in 2025 found that a large share of publicly listed MCP servers exposed tool descriptions that could be modified after installation, making rug-pull and tool-poisoning variants a practical concern. As one MCP security review put it: "You are not just calling a tool — you are importing whatever the server decides to say."