Tool Registry Poisoning Risk: How AI Agents Can Be Deceived by Unverified Natural-Language Descriptions

A newly documented vulnerability in AI agent architecture reveals a systemic gap in how enterprise systems verify tools before deployment. AI agents operating within shared registries select their tools by matching natural-language descriptions, yet no human review process confirms whether those descriptions accurately reflect the tool's actual behavior. This design weakness creates multiple entry points for malicious actors to inject compromised or deceptive tools into systems that rely on automated tool discovery.

The issue was formally raised through Issue #141 filed in the CoSAI secure-ai-tooling repository. What initially appeared as a single risk became two distinct vulnerability categories when repository maintainers separated the concerns: selection-time threats—encompassing tool impersonation and metadata manipulation—and execution-time threats, which include behavioral drift and runtime contract violations. This splitting of the issue signaled that tool registry poisoning does not represent one vulnerability but rather a cascade of security gaps spanning the entire tool lifecycle, from initial registration through active deployment.

The temptation to apply existing software supply chain defenses looms large. Over the past decade, the industry has developed robust controls including code signing, software bill of materials (SBOMs), SLSA provenance standards, and Sigstore verification. However, these mechanisms were designed for traditional software distribution, where binary integrity and provenance chains provide guarantees. The natural-language description matching that drives AI tool selection operates at a fundamentally different layer, where metadata alone cannot assure behavioral fidelity. Security researchers warn that unless verification frameworks evolve to assess description-to-behavior alignment rather than merely cryptographic integrity, the poisoned registry problem will persist as a structural vulnerability in enterprise AI deployments.