Tool Catalog

A Tool Catalog is the set of tools an MCP server or other connector advertises to a connecting AI agent. Each entry in the catalog is a tool descriptor carrying the tool's name, free-form natural-language description, parameter schema (typically JSON Schema), and usage notes. When the agent plans a step, it reads the entire tool catalog into its working context to decide which tool best matches the current task and how to format the call.

Tool catalogs are the AI-agent equivalent of an API surface, but with one critical difference: every byte of catalog content flows directly into the LLM's reasoning input, alongside the system prompt and recent user messages. Whatever instructions are written into a catalog entry — even casually, even by a downstream maintainer — carry roughly the same authority as the agent's primary directive. This is the architectural property that makes tool poisoning attacks effective.

Why Catalogs Matter for Security

Three properties of tool catalogs make them a high-value target for attackers. They are large. A typical MCP host might consume catalogs from 5–15 connected servers, totalling thousands of tokens of trust-bearing content. Sanitising every byte of every entry against every known prompt-injection pattern is a non-trivial engineering task, and most production deployments do not attempt it. They are loaded automatically. The host pulls the full catalog at connection time and on every refresh, without surfacing the content to the user. They are mutable post-install. A connector can ship a benign catalog at install time and update it later — through a registry update, a runtime response, or a remote-content fetch — without any human review.

The combined effect: the tool catalog is one of the few inputs to a production LLM that carries effectively unbounded text content, is auto-loaded, is rarely user-visible, and is mutable from the server side. It is the natural channel for adversarial influence on agent behaviour.

Auditing Tool Catalogs

For any production agent deployment, treating the tool catalog as an untrusted input is the foundational defence. Catalog content should be sanitised against known prompt-injection patterns before it enters the LLM context; catalog size should be bounded with explicit length limits; and the structurally validated subset (parameter schemas, type signatures) should be preferred over the raw natural-language description fields. Logging the full catalog at every load and diffing it against the previous run is one of the cheapest mechanical signals that catches descriptor mutation post-install.

For the broader pattern of agentic supply-chain attacks that target tool catalogs, see the OWASP ASI04 explainer. For the live record of MCP-specific catalog-targeting incidents, see the MCP Breach Index 2025–2026.