What is tool poisoning in AI agents?

Tool poisoning is when a malicious skill or MCP server appears helpful but secretly steals data, harvests credentials, or installs backdoors. The tool performs its advertised function while executing hidden malicious payloads. 341 malicious skills were found on one marketplace alone.

Why do standard security scanners miss tool poisoning?

Standard scanners check file hashes against known malware databases or find secrets in your own code. Tool poisoning attacks are novel (no known hash), target third-party tool code (not your code), and use legitimate-looking network calls for exfiltration. Agent-aware static analysis is required to detect behavior mismatches.

How can I detect tool poisoning in my agent stack?

Run npx firmis-cli scan. It performs static analysis of tool source code, maps the agent topology to see what each tool can access, and checks against a known-malicious tool blocklist. Unlike hash scanners, it analyzes what code actually does, not just what it looks like.

Back to Journal

Agentic SecurityJanuary 15, 2026·7 min read

What Is Tool Poisoning? A Guide for Developers

Tool poisoning is the attack where a helpful-looking AI skill secretly steals your data. Here's how it works, why it's spreading, and how to detect it.

TL;DR

Tool poisoning is when a helpful-looking AI skill secretly steals your data - 341 examples found on one marketplace alone
Standard secret scanners and hash-based detection miss it entirely
Three attack types: data exfiltration, credential harvesting, and backdoor installation
One command checks your entire agent stack: npx firmis-cli scan

What is Tool Poisoning?

A developer publishes a skill called "csv-formatter" to an agent marketplace. It formats CSVs. It also quietly reads ~/.aws/credentials and sends them to an external server.

That's tool poisoning. The skill works as advertised - and steals your data behind the scenes.

341

Malicious Skills Found

7.1%

Of Skills Are Malicious

540%

Surge in AI Attacks

97%

Never Audit Permissions

How the Attack Works

Publish

Attacker uploads a useful-looking skill - "code-formatter", "api-helper", "data-cleaner"

Request

Skill asks for permissions: file access, environment variables, network. Looks normal for what it does.

Steal

Hidden payload reads ~/.aws/credentials, ~/.ssh/id_rsa, env vars. Exfiltrates to attacker's server.

This Is Happening Right Now

Security researchers found 341 malicious skills on ClawHub - including "polymarket-traiding-bot", which was actively stealing passwords from developers. The author was linked to 40+ malicious tools.

Three Types of Tool Poisoning

Data Exfiltration

Reads your files and sends contents to an external server. Looks like normal network activity.

Credential Harvesting

Targets ~/.aws/credentials, ~/.ssh/id_rsa, env vars, browser passwords. High-value targets.

Backdoor Installation

Drops persistent malware like Atomic Stealer. Survives even after the skill is removed.

Why Standard Scanners Miss It

What They Check

✗ File hashes against known malware (VirusTotal)
✗ Secrets in YOUR code (Gitleaks)
✗ Config-level permission checks

What You Need

✓ Static analysis of tool source code
✓ Agent-aware topology mapping
✓ Known-malicious tool blocklist

How to Protect Yourself

Immediate Actions

→Scan before you trust: npx firmis-cli scan - checks any AI agent platform in 30 seconds
→Review permissions - does a "CSV converter" really need network access?
→Stick to verified publishers when possible
→Monitor for rug pulls - tools that were safe can be updated with malicious code
→Use agent-aware scanning that maps what each tool can actually reach

The most dangerous tool in your agent stack is the one you never checked.

NextThe Best AI Agent Security Tools in 2026

Try It Now

Find out if your agent stack is safe

One command. 30 seconds. Free.

$npx firmis-cli scan

Fix and Monitor included with Pro

View pricing