WebMCP Can Be Used To Hijack AI Agents, Chrome Warns via @Sejournal, @Martinibuster

WebMCP—Google’s interface that lets AI agents call web‑based tools—has become a focal point for security researchers after several prompt‑injection demonstrations. By embedding malicious instructions in tool manifests or returned content, attackers can steer an agent’s behavior, even within an authenticated user session. Chrome’s new documentation highlights that these vulnerabilities stem from the way large language models treat all text as a single token stream, making it difficult for the model itself to differentiate benign requests from hidden exploits.

To mitigate the threat, Chrome advocates a layered defense model that blends deterministic safeguards with probabilistic checks. Developers are urged to set strict token limits on tool responses, restrict cross‑origin calls, and require explicit user confirmation before state‑changing actions. Additional measures such as untrustedContentHint annotations, readOnlyHint flags, and prompt‑injection classifiers help isolate risky data. By treating WebMCP tools as potentially state‑altering unless marked otherwise, the guidance keeps humans in the loop and reduces the attack surface for automated exfiltration.

For the broader ecosystem, Chrome’s stance signals that AI agent security is a shared responsibility. Tool creators must embed clear metadata and origin controls, while agent developers need to implement secondary "critic" models that evaluate planned tool calls. This collaborative approach not only hardens current deployments but also sets a precedent for future standards as AI agents become more pervasive across browsers and web applications.