§ PLATFORM / TOOL INTEGRITY
Pin the tool. Block the drift. Prove it.
Tool poisoning is the highest-leverage attack on enterprise AI agents in 2026 — a single changed MCP tool descriptor turns a benign tool into an exfiltration channel. Execlave pins what each tool is allowed to be, blocks the instant it changes, and generates the evidence that it did.
§ CAPABILITIES
Descriptor-integrity governance for MCP tools
The defense built for the #1 enterprise agent attack of 2026 — owning the combination no gateway or prompt firewall does.
Descriptor-integrity governance for MCP tools
01 / Capability
Descriptor-integrity pinning
Pin a per-agent baseline of approved (server, tool, descriptor hash) tuples. The trusted shape of every tool, recorded and enforced.
02 / Capability
Runtime drift diff
Every enforce call diffs the live descriptor against the baseline. A changed hash, or an unapproved tool or server, is a violation.
03 / Capability
Poisoning detection
Tool descriptions are scanned for injection and exfiltration patterns, so a poisoned description is flagged as critical even on a known tool.
04 / Capability
Tamper-evident evidence
Every decision is written to a hash-chained audit log and mapped to OWASP Agentic tool-misuse posture — auditor-grade proof, not just a log line.
§ QUESTIONS
MCP tool poisoning, answered
MCP tool poisoning, answered
What is MCP tool poisoning?
MCP tool poisoning is a supply-chain attack where the description or schema of a Model Context Protocol tool is altered after an agent has trusted it — turning a benign tool into one that exfiltrates data or executes unintended actions. Because agents act on the live tool descriptor, a single changed description can redirect an agent without any change to your own code.
How does descriptor pinning stop tool poisoning?
Descriptor pinning records a cryptographic hash of each approved tool descriptor as a per-agent baseline. At runtime Execlave diffs the live descriptor against the pinned hash; if it changed, or an unapproved tool or server appears, the call is blocked or routed for approval before the agent acts. The change is caught the instant it happens, not in a later audit.
Is Execlave an MCP gateway or registry?
No. Execlave is the governance and evidence layer above the connection layer. It consumes tool-call events from an MCP gateway, the Agent Control Standard hook, or directly from the SDK, and adds per-agent policy, synchronous enforcement, and tamper-evident audit — without sitting in the data path.
What happens on a legitimate tool update?
Run the policy in require-approval mode and re-pin with one click. A legitimate update produces a drift event you review and accept, which captures the new descriptor set as the baseline — so genuine upgrades are a one-step approval, not an outage.
§ COMPARISON
Execlave vs. MCP gateways and prompt firewalls
Gateways win the connection layer and stop at audit logs. Prompt firewalls detect but don't pin or prove. Execlave owns descriptor pinning + synchronous enforcement + per-agent policy + cryptographic evidence — together.
Execlave vs. MCP gateways and prompt firewalls
| Capability | MCP gateways | Prompt firewalls | Execlave |
|---|---|---|---|
| Tool/server allowlist | Yes | Partial | Yes |
| Descriptor-integrity pinning + drift diff | No | Partial | Yes |
| Synchronous block / require-approval | Connection layer | Yes | Yes |
| Per-agent (non-uniform) policy | Partial | Partial | Yes |
| Compliance mapping + cryptographic evidence | Audit only | Posture only | Yes |
Govern your MCP tools before they're poisoned
Pin every tool descriptor, block the drift synchronously, and hand an auditor the proof. Free to start, cloud or self-hosted.