The MCP Attack That Hides in a Tool Description

Here's something that took me a while to fully accept: you can compromise an AI agent without writing a single line of malicious code. No buffer overflows. No exploit payloads. No injected shell commands. The attack surface is a text field - specifically, the natural language description attached to an MCP tool definition. We call it tool poisoning. It's the most dangerous finding we encountered when we scanned 448 MCP servers. And it's the one that existing security tooling is completely blind to.