THREAT
Tool-Call Hijacking
unauthorized tool invocationagent permission driftMCP exploitation
Tool-call hijacking is the unauthorized invocation of an MCP tool — either by an injected instruction that impersonates authorized intent, or by an agent that has drifted beyond its permitted operational scope.
ADVERSARIAL MECHANICS
An injected payload instructs the agent to call a tool not part of the original request. An attacker can redirect the agent to call send_email, write_file, or execute_code tools with attacker-controlled parameters. Chained tool calls amplify the damage: exfiltrate data with one tool, transmit it with another.
PROTOCOL CONTEXT (VEX — AUTHORITY PILLAR)
The VEX Protocol's Authority pillar is aimed at this problem: tool invocation should remain bound to an authorized principal and a declared scope. Evidence artifacts can preserve that context where governed execution is in use.
ProvnAI Mitigation
Tool-call authorization in ProvnAI is handled through layered policy. McpVanguard enforces configured allowlists and boundary rules at the proxy layer, while broader authority and evidence models depend on the surrounding governance stack.