Digital Marketing

WebMCP Tools You Expose to Agents Can Be Used to Hack Them

Add WebMCP to your website, and give AI visitors a set of named tools to call them. Those same tools can be used to make agents attack the people they sent them. The Chrome developer site now hosts WebMCP security guidelines, and most of them are written for websites that publish tools rather than companies that develop agents. Make your website agent ready with WebMCP, and open an attack zone, and closing it is your job, not the agent’s.

For two years, the agent readiness discussion has been about access: Can an agent access your content, read your page, complete your checkout? WebMCP is the version where you stop trusting an agent to take your website off the cuff and start giving it branded tools to drive. That’s a very useful protocol, and it’s the direction in which the agent web protocol layer is going. This is also where the agent’s legitimacy and the agent’s security cease to be the same property.

Chrome Named Two Ways Agents Were Hijacked With WebMCP

The Chrome agent security guide describes two attack vectors, and both come with tools that the website exposes. First is the manicious manifest. In Chrome’s words, “Websites may contain tooltips that contain hidden commands, in tooltips, parameters, or descriptions, designed to hijack the agent.” A tool description is the text that the agent reads to determine how to use the tool, so the description can carry instructions that the agent was never intended to follow.

The second vector is what most websites will come up with, and it doesn’t require a malicious website at all. Chrome calls it dirty output: “Real-time tool responses from trusted sites may include incorrect instructions as part of third-party data, such as user comments.” A tool on your website that returns your product reviews, your comment thread, your forum posts, or your support replies returns text written by other people. If one of those people placed an order within the update, your legal instrument is to give it to the agent as if it was from you. The premium is your user-generated content, and invites you to participate.

This feature is not a bug and will not be patched. “LLMs treat all scripts, instructions and user data, as a single sequence of tokens,” the guidance says, so the model cannot reliably distinguish the part you meant as data from the part an attacker meant as a command. That’s why Chrome says “the probabilistic nature of LLMs makes it impossible to ensure security within the model itself.” This is the same injection problem that has no clean fix within the model, now wearing a protocol. WebMCP offers those attacks a clean, streamlined delivery channel with purpose-built tools.

Making Your Website Agent-Ready Now Includes Making It Agent-Safe

The Chrome directive places the responsibility on the website, not just the agent. Chrome’s tool security document opens with a line aimed specifically at anyone exposing tools: “Only create your tools from sources you trust. This is especially important if the tools control user data or otherwise affect the user.” That line is written for whoever sends the tool. That means you.

Protections are concrete, and are annotations that you attach to the tools you deploy. untrustedContentHint “clearly labels paid content as untrusted, to help protect the integrity of your site while signaling to the agent that this data needs further processing,” and Chrome says when to use it: “If a tool returns user-generated content (UGC) or externally sourced data, consider adding an untrusted ContentHint to the tool.” readOnlyHint marks a stateless tool, which “allows the agent to make better decisions about when to request user authentication.” exposedTo restricts the tool to a list of trusted sources, written in the registry itself:

document.modelContext.registerTool({...}, {
 exposedTo: ['
});

Chrome caps the character budget as well, a tool description at 500 characters and a single tool output at about 1,500, and adds requestUserInteraction() a way to confirm action before it explodes. Take the obvious example, a tool that displays product reviews to a purchasing agent. Protecting it is not a trivial task: mark what comes out of it untrustedContentHintset up readOnlyHint because it learns rather than buys, and limits exposedTo from the roots you worship. None of this is the agent’s job. It’s the toolkit author’s job, which in most teams is web, CRO, or marketing people adding WebMCP to make it look more current, not security people studying threat models. That gap is where this is wrong. Marking which of your content is data and not commands is now part of submitting a tool, the way sanitizing input used to be part of submitting a form.

Adopt WebMCP, But Threat-Model All Tools First

Giving the agent graphic, clickable tools is more than enough to guess your website in the DOM, and the skill is a must have. None of this is a reason to avoid WebMCP. The point is smaller and more boring than “new protocol, new risk”: power comes with a bill attached, and the bill is yours.

So the line is simple. Don’t expose a tool to an agent that you haven’t mapped to a risk like you would a public API endpoint model. For every tool you’re about to sign up for, answer one question before you submit: What content can be trusted to return, and have you flagged it? If you can’t answer that, the tool isn’t ready yet, however the agent is ready for your entire website look.

WebMCP is ahead of its time. It remains in the test of the origin of Chrome, the specification is still moving, and many websites have not disclosed a single tool. That’s a window to determine if the agent is safe is part of being ready for the agent, before the first tool you send turns out to be the one that gives the agent your updates or whatever the person has hidden inside of them.

Additional resources:


This post was originally published on No Hacks.


Featured image: Roman Samborskii/Shutterstock

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button