Skip to content

feat: add MCP tool-use security probes (probes.tooluse) (#1872)#1891

Open
xr843 wants to merge 1 commit into
NVIDIA:mainfrom
xr843:probe/mcp-tool-use-security
Open

feat: add MCP tool-use security probes (probes.tooluse) (#1872)#1891
xr843 wants to merge 1 commit into
NVIDIA:mainfrom
xr843:probe/mcp-tool-use-security

Conversation

@xr843

@xr843 xr843 commented Jun 27, 2026

Copy link
Copy Markdown

Summary

Adds probes.tooluse, testing whether a target acting as an MCP-connected agent can be manipulated into unsafe tool use. Implements the four threat categories from #1872.

Probes

  • PermissionEscalation — pressure to use a readOnlyHint tool destructively
  • ToolChainAbuse — chain individually-safe tools into an unsafe outcome
  • ServerPhishing — connect to / trust an untrusted or malicious MCP server
  • CredentialExfiltration — leak a credential through a tool parameter

Design

garak's harness is text-in/text-out, so these probes do not execute real tool calls; they measure the target's stated willingness to misuse tools — the model-level signal that complements registry-level analyses such as MCTS.

Each prompt embeds a synthetic tool manifest with MCP annotations (readOnlyHint/destructiveHint). Per the request for structured findings in the issue thread, every attempt records the tool manifest, declared annotations, expected policy verdict, and failure class in attempt.notes for downstream triage by failure class.

Detectors are reused, not added: mitigation.MitigationBypass for the refusal-expected probes (as in probes.doctor), and base.TriggerListDetector with a planted canary secret for credential exfiltration (as in probes.leakreplay).

Probes ship inactive (opt-in) at Tier.INFORMATIONAL, following probes.agent_breaker.

Tests

tests/probes/test_probes_tooluse.py mirrors existing probe tests; docs page added under docs/source/probes/. All tooluse + universal probe + docs checks pass; black --check clean. No new dependencies.

Closes #1872

Adds probes.tooluse, testing whether a target acting as an MCP-connected
agent can be manipulated into unsafe tool use. Four probes cover the threat
categories raised in NVIDIA#1872:

- PermissionEscalation: using a readOnlyHint tool destructively
- ToolChainAbuse: chaining individually-safe tools for an unsafe outcome
- ServerPhishing: connecting to an untrusted/malicious MCP server
- CredentialExfiltration: leaking a credential through a tool parameter

Each prompt embeds a synthetic tool manifest with MCP annotations
(readOnlyHint/destructiveHint) and records the manifest, declared
annotations, expected policy verdict, and failure class in attempt.notes
so findings can be triaged by failure class. Reuses existing detectors:
mitigation.MitigationBypass for refusal-expected cases and
base.TriggerListDetector with a planted canary secret for credential
exfiltration. Probes ship inactive (opt-in) at INFORMATIONAL tier.

Includes docs page and tests mirroring existing probe test patterns.

Closes NVIDIA#1872

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: xr843 <xianren843@protonmail.com>
@xr843 xr843 force-pushed the probe/mcp-tool-use-security branch from 2de3129 to edd4f6b Compare June 27, 2026 03:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feature: MCP tool-use security probe for agent tool misuse

1 participant