Tool Description Injection

Embed malicious instructions in tool or skill descriptions that execute when the agent processes them

Tactic

Initial Access (Stage 2)

Gain control over agent behavior through prompt manipulation or input exploitation

Attack Class

SKILL-FRONTMATTER

Embedding malicious instructions in skill or plugin metadata and description fields

Evidence

observed

Confirmed in real-world production systems or internet-wide exposure assessments.

DVAA Validation

Reproductions in Damn Vulnerable AI Agent, the OpenA2A intentionally-broken agent for kill-chain validation.

PluginBot

Honeypot Coverage (AgentPwn)

Livemcp-exploitationagentpwn.com/attacks/mcp-exploitation

An AgentPwn trap page produces a payload tagged with this technique class. Following the AgentPwn taxonomy of trap pages shows what an agent encounters.

Evidence Source Breakdown

Shodan

1 record

HMA

7 records

Evidence Timeline

Shodan

Shodan May 12, 2026 sweep: 38,976 exposed tools services indexed

May 12, 2026

HMA

HMA check SKILL-004 failed on fake-vulnerable-agent

Apr 29, 2026

HMA

HMA check SKILL-004 failed on fake-vulnerable-agent

Apr 29, 2026

HMA

HMA check SKILL-001 failed on opena2a/code-review-skill

Apr 27, 2026

HMA

HMA check SKILL-001 failed on opena2a/code-review-skill

Apr 27, 2026

HMA

HMA check SKILL-004 failed on fake-vulnerable-agent

Apr 22, 2026

HMA

HMA check SKILL-001 failed on damn-vulnerable-ai-agent

Apr 22, 2026

HMA

HMA check SKILL-001 failed on hackmyagent-release-test-vplv

Apr 13, 2026

Detection (HackMyAgent)

Live3 live · 0 queued

SKILL-001SKILL-004SKILL-005

npx hackmyagent secure --ciLive = check implemented in hackmyagent; queued = declared, not yet implemented

Defense (OASB Controls)

Live5 live · 0 queued

OASB 3.1 OASB 3.2 OASB 3.3 OASB 3.4 OASB 3.5

Live = documented at oasb.ai; queued = declared, not yet documented

How to Cite

AI Agent Threat Matrix T-2005 (Tool Description Injection). OpenA2A, 2026. https://threats.opena2a.org/techniques/T-2005

← Back to Matrix