AI Agent Threat Matrix
Matrix/Initial Access/T-2005
T-2005validatedactive

Tool Description Injection

Embed malicious instructions in tool or skill descriptions that execute when the agent processes them

Tactic

Initial Access (Stage 2)

Gain control over agent behavior through prompt manipulation or input exploitation

Attack Class

SKILL-FRONTMATTER

Embedding malicious instructions in skill or plugin metadata and description fields

Evidence

validated

Reproduced in controlled lab environment (DVAA) with documented steps.

DVAA Validation

PluginBot

Honeypot Coverage (AgentPwn)

Livemcp-exploitationagentpwn.com/attacks/mcp-exploitation

An AgentPwn trap page produces a payload tagged with this technique class. Following the AgentPwn taxonomy of trap pages shows what an agent encounters.

Detection (HackMyAgent)

Live3 live · 0 queued
SKILL-001SKILL-004SKILL-005
npx hackmyagent secure --ciLive = check implemented in hackmyagent; queued = declared, not yet implemented

Defense (OASB Controls)

Live5 live · 0 queued
OASB 3.1OASB 3.2OASB 3.3OASB 3.4OASB 3.5
Live = documented at oasb.ai; queued = declared, not yet documented

How to Cite

AI Agent Threat Matrix T-2005 (Tool Description Injection). OpenA2A, 2026. https://threats.opena2a.org/techniques/T-2005
← Back to Matrix