You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/mcp-scan/issue-code-reference.md
+9-5Lines changed: 9 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -28,23 +28,27 @@ A toxic flow is a threat that arises when multiple tools (that are benign indivi
28
28
<h3id="TF001">TF001: Data Leak Toxic Flow.</h3>
29
29
A Data Leak Toxic Flow allows the attacker to leak private data from the agent. For this to work, three components are required:
30
30
31
-
* An **untrusted output** tool: A tool whose output could be malicious, such as fetching information from a webpage set up by someone else.
31
+
* An **untrusted content** tool: A tool whose output could be malicious, such as fetching information from a webpage set up by someone else.
32
32
* A **private data** tool: A tool that exposes private data to the Agent, by reading a file from the user's machine, for example.
33
33
* A **public sink** tool: A tool that the Agent can use to send information back to the attacker. This could mean sending a private message to an arbitrary phone number, or simply making some information public on the internet. Examples include writing to a public repo or sending a message on WhatsApp.
34
34
35
-
The attack triggers when the agent uses the **untrusted output** tool for any unrelated user task. The output of the tool contains a prompt injection, or a set of malicious instructions that compromise the agent. Once compromised, the agent can use the **private data** tool to fetch the user's private data. Finally, the compromised agent can leak such data using the **public sink** tool.
35
+
The attack triggers when the agent uses the **untrusted content** tool for any unrelated user task. The output of the tool contains a prompt injection, or a set of malicious instructions that compromise the agent. Once compromised, the agent can use the **private data** tool to fetch the user's private data. Finally, the compromised agent can leak such data using the **public sink** tool.
36
36
37
37
!!! note
38
38
39
-
A single tool may act as **untrusted output**, **private data**, and **public sink** simultaneously.
39
+
A single tool may act as **untrusted content**, **private data**, and **public sink** simultaneously.
40
40
41
41
<h3id="TF002">TF002: Destructive Toxic Flow.</h3>
42
42
A Destructive Toxic Flow allows the attacker to cause permanent damage. For it to work, it needs two components:
43
43
44
-
* An **untrusted output** tool: A tool whose output could be malicious, such as fetching information from a webpage set up by someone else.
44
+
* An **untrusted content** tool: A tool whose output could be malicious, such as fetching information from a webpage set up by someone else.
45
45
* A **destructive** tool: An irreversible tool that can be used in a destructive way, like deleting a file on the user's machine, or sending money.
46
46
47
-
The attack triggers when the agent uses the **untrusted output** tool for any unrelated user task. The output of the tool contains a prompt injection, or a set of malicious instructions that compromise the agent. Once compromised, the agent can use the **destructive** tool to irreversibly damage the environment.
47
+
The attack triggers when the agent uses the **untrusted content** tool for any unrelated user task. The output of the tool contains a prompt injection, or a set of malicious instructions that compromise the agent. Once compromised, the agent can use the **destructive** tool to irreversibly damage the environment.
48
+
49
+
!!! note
50
+
51
+
A single tool may act as **untrusted content**, **destructive** simultaneously.
48
52
49
53
## Analysis Errors
50
54
An Analysis Error implies that something went wrong during the scan, and that the MCP servers are not being scanned as expected.
0 commit comments