AIDE-005 Agent Execution Coverage D GAP CANDIDATE Execution

Agent Tool-Invocation Hijacking

AIDE-005 |

Description

Adversary Behavior: Adversaries manipulate the inputs to autonomous AI coding agents to redirect their tool invocations toward adversary-specified actions, including arbitrary command execution, data exfiltration, and unauthorized system modifications.

AI/IDE Mechanism: AI coding agents are granted the ability to invoke tools — including shell commands, file operations, web requests, and API calls — as part of their development workflow. The agent selects and parameterizes tool calls based on its context, which includes tool descriptions, tool return values, and files read during task execution. This context-driven tool selection is susceptible to manipulation.

Execution Path: The adversary crafts malicious content in tool descriptions, tool return values, or files that the agent reads during task execution. This content influences the agent's tool selection and invocation behavior, causing the agent to execute redirected tool invocations with the permissions of the user running the IDE. Sensitive data can be exfiltrated through tool arguments such as encoding data in web request parameters. Testing demonstrated successful exploitation across 19 of 25 agent-LLM pairs in production coding environments.

Security Impact: Redirected tool invocations execute with the full permissions of the hosting user session, enabling arbitrary command execution, data exfiltration, and unauthorized file and system modifications through the agent's legitimate tool-use interface.

Platforms

Windows macOS Linux

Detection

Log all agent tool invocations with full argument content and correlate with the originating task context. Flag tool invocations whose arguments contain data derived from recently read files. Monitor for shell executions initiated by the agent process that perform network operations, credential access, or file exfiltration.

Detecting Data Components (5)

Tool Discovery

Events capturing the IDE's discovery of available tools from registered MCP servers.

Tool Call Request

Events capturing an agent's request to invoke a specific tool, including tool name, arguments, and triggering context.

Resource Access

Events capturing the IDE's access to resources provided by MCP servers.

Tool Call Response

Events capturing the response returned by a tool invocation, including output content and status.

Tool Authorization Event

Events capturing authorization decisions for agent tool invocations, including approvals, rejections, and auto-approvals.

Mitigations (1)

MCP Server Allowlisting and Verification

Maintain an approved inventory of MCP tool servers. Require signature verification for server registration. Validate that registered endpoints match approved providers. Alert on new server registrations from project-level configuration.

Data Sources

Command → Command Execution

Process → Process Creation

Application Log → Application Log Content

Network Traffic → Network Connection Creation

References

mitre-attack

CANDIDATE GAP — Proposed sub-technique of T1059 Command and Scripting Interpreter.

ToolLeak Red-Teaming Coding Agents

Red-Teaming Coding Agents from a Tool-Invocation Perspective: An Empirical Security Assessment

https://arxiv.org/abs/2509.05755

MCP History Theft (Trail of Bits, Apr 2025)

Malicious MCP tool server exploited tool discovery to exfiltrate conversation data.

https://blog.trailofbits.com/2025/04/23/how-mcp-servers-can-steal-your-conversation-history/

MCP Safety Audit

RADE (Retrieval-Agent Deception) attack — poisoned data in vector database triggers MCP tool-use for credential theft and remote access; Claude and Llama-3.3-70B susceptible (Radosevich & Halloran, arXiv:2504.03767, 2025)

https://arxiv.org/abs/2504.03767

IDEsaster CVEs

Auto-approved tool calls enable silent credential exfiltration and RCE across all tested AI IDEs (Marzouk, 2025-2026)

https://byteiota.com/idesaster-30-cves-hit-cursor-github-copilot-all-ai-ides/

Chinese State-Sponsored Claude Code Manipulation

Late 2025: adversary manipulated Claude Code with 80-90% autonomous operation across ~30 global targets (SnailSploit Threat Landscape)

https://snailsploit.com/ai-security/agentic-ai-threat-landscape/

ToolTweak

Tool name/description manipulation biases agent selection from ~20% to 81%; demonstrates adversarial control over tool invocation (arXiv:2510.02554, 2025)

https://arxiv.org/abs/2510.02554

ToolHijacker

Injects malicious tool documents into agent tool libraries via prompt injection, forcing consistent selection of attacker-controlled tools (arXiv:2504.19793, 2025)

https://arxiv.org/abs/2504.19793

AgentLAB

Tool chaining attack type — multi-turn exploitation of agent tool invocation; 644 test cases (arXiv:2602.16901, Feb 2026)

https://arxiv.org/abs/2602.16901

MalTool

Coding-LLM synthesizes tools with malicious behaviors embedded in benign code; 6,487 tools cataloged (arXiv:2602.12194, Feb 2026)

https://arxiv.org/abs/2602.12194

BackdoorAgent

Tool-stage backdoor attacks achieve 60.28% trigger persistence on GPT backbones (arXiv:2601.04566, Jan 2026)

https://arxiv.org/abs/2601.04566

Parasitic Toolchain Attacks

Adversaries embed malicious instructions in external data accessed during legitimate MCP tasks (arXiv:2509.06572, 2025)

https://arxiv.org/abs/2509.06572

STIX Metadata

type	attack-pattern
id	attack-pattern--20d8ce23-9aff-4232-b63a-296e2ec07b99
spec_version	2.1
created	2026-02-23T00:00:00.000Z
modified	2026-02-23T00:00:00.000Z
created_by_ref	identity--f5b5ec62-ffbd-4afd-9ee5-7c648406e189
x_mitre_is_subtechnique	False
x_mitre_version	0.1
x_mitre_status	candidate