Home

MCP memory poisoning

MCP Memory Poisoning Review for Tool-Connected Agents

MCP memory poisoning risk appears when tool-connected agents store untrusted resource text, server outputs, or third-party data as future instructions. The review should separate tool evidence from user-approved memory and attach provenance to anything that survives.

View pricing plans

When this matters

  • An MCP server returns resource text that includes instruction-like content.
  • A memory tool stores summaries from web pages, tickets, documents, or chats.
  • A platform team needs a rule for what MCP output may become durable context.

How to run the audit

  1. Identify every MCP source that can write or suggest memory.
  2. Classify outputs as evidence, instruction, preference, policy, or temporary state.
  3. Flag instruction-like text from untrusted resources.
  4. Require review or expiration for high-risk memories.
  5. Export an MCP-ready memory policy and audit receipt.

Common risks

  • Tool results can look authoritative even when they come from untrusted content.
  • Server-card metadata can be confused with workspace policy if not scoped.
  • Persistent memory can carry a poisoned tool result into unrelated future tasks.

How Memory Hygiene Audit connects this to checkout

Memory Hygiene Audit gives MCP operators a practical gate for memory writes, poisoning signals, and agent-consumable policy output.

Teams can preview the score, then use the Team Hygiene annual checkout to generate the full cleanup diff, reviewer notes, and agent-readable JSON policy.