Cross-Tool Chaining

Cross-Tool Chaining is an attack pattern where multiple AI agent tools, each safe in isolation, are combined in a single planning step to produce an outcome no individual tool was authorised to deliver. It is one of the principal failure modes inside OWASP ASI02 (Tool Misuse and Exploitation) and is structurally specific to agentic systems — classical applications cannot exhibit it because they call functions deterministically, not through an LLM that reasons over multiple available tools.

The canonical case is Git + Browser exfiltration. An agent connected to a Git MCP server (which can read repository content) and a Browser MCP server (which can fetch arbitrary URLs) inherits a compound capability the host never explicitly granted: send the contents of any private repo to any external URL. Each tool, alone, is safe — Git only reads, Browser only fetches. The composition is the exploit. Other documented patterns include Filesystem read + Mail send (file exfiltration via SMTP), Database query + HTTP fetch (data extraction via webhook), and Credential vault read + arbitrary execution (token theft escalating to lateral movement).

Why Composition Risk Is Underweighted

Most production deployments evaluate MCP servers individually. They review what each server's tools do, check whether each tool's authority is appropriate, and approve the server. They rarely audit the combination — the matrix of tool pairs (and small sets) that becomes available once multiple servers are connected to the same agent context. This is the most consistently under-tested control in real deployments, per the MCP Breach Index 2025–2026 and the Endor Labs / Equixly analyses cited there.

The architectural property driving the risk: the agent decides, at planning time, which tools to call together. The host typically does not enforce a composition policy unless explicitly built. Whatever combinations the LLM can reason about and execute are reachable by any successful prompt injection or tool poisoning attempt.

Detection and Mitigation

Detecting cross-tool chaining is primarily a static-analysis problem: enumerate every pair (and useful triple) of connected tools and ask "does this composition produce an outcome neither tool individually authorised?" Where the answer is yes, the host needs an explicit policy to block, gate, or confirm the composition.

Mitigation patterns include: explicit composition policies modelled at the host level (cross-trust-boundary chains require user confirmation); process-boundary isolation (tools holding credentials run in distinct boundaries from tools touching arbitrary external content); and capability-aware planning (the agent runtime understands which compositions are dangerous and refuses them at plan time, before execution).

For Web3 deployments, the additional rule is unconditional: tools that can sign transactions or access wallet credentials must not be composable with tools that consume arbitrary external content. The composition is too dangerous to gate with a confirmation prompt; it must be impossible at the architecture layer.

For deeper operational guidance, see the OWASP ASI02 explainer and the MCP Security Checklist.