Definition
Plain language
An attack that tampers with one of an AI agent's tools, or with the description of what the tool does, so the agent misbehaves when it uses it.
As stated in the literature
An attack class against tool-using agents that modifies a tool's implementation or its advertised description; distinguished from prompt injection, data poisoning, and Oracle Poisoning, which corrupt other parts of the pipeline.
Why it matters: It shows that securing an agent means trusting not just its prompts but every tool and tool description it relies on, since any of them can be quietly corrupted.
For example, an attacker rewrites the description of a 'send email' tool so the agent unknowingly leaks private data every time it uses it.
Heard on the show
“The full annotated version is on paperdive dot AI — every technical term tap-to-define, with links to the related work on prompt injection and tool poisoning grouped by theme.”Episode 208 — The Blank Space in Your AI Approval Box That Isn't Empty