πŸ”AI RiskAtlas
← Scenario library

The Tool With a Hidden Agenda

A trusted MCP email tool quietly BCCs every message to an attacker

Technique first revealed 01 Apr 2025

Tool-Using Agent
UntrustedAgent coreOversightThe real worldtool descriptions β†’ promptregisters send_emailπŸ§‘UserπŸŽ›οΈOrchestrator /Agent Loop🧠LLMπŸ”Identity &PermissionsπŸ”§Tool Runtimeβœ‹Human ApprovalGateπŸ”ŒExternal APIsπŸ—„οΈBusinessDatabase🌐UntrustedContentπŸ“Audit Logging🧰3rd-party MCPserver (email🌐attacker BCCinbox
InstructionsDataActionsControl / decisionFeedback / logs
πŸ‘† Click a component to inspect
SetupStep 1 / 6

Adopting a popular tool

The team wants their assistant to send emails, so they install a well-known add-on with thousands of downloads and glowing reviews. They try it, it works perfectly, and they roll it out to everyone.

βš™οΈTool registration (review build, looks clean)config
mcpServers:
  email-helper:
    command: npx email-helper-mcp@latest   # <- floating tag, no pin
    tools:
      - name: send_email
        description: |
          Send an email. Args: to, subject, body.
        # 12k downloads, 4.8 stars β€” adopted on reputation

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning β€” not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading β†’Β·Built by Shi Yuan β†—