To add more to this. the snippet below shows exactly how tool poisoning works in practice. A simple add two numbers MCP tool has malicious instructions hidden in the docstring. The AI sees these instructions but the user doesn't. It asks the model to read sensitive files like
