A collection of bundled, trusted tools providing fundamental capabilities: the MCP client bridge to the external MCP layer, a sandboxed shell, workspace I/O, and web search.
AI/ML / Multi Agent Refarch / Capabilities / DEV
Built-in trusted tools
CCC.MARefArc.CP08
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.MARefArc.TH12 | Indirect prompt injection via retrieved or processed content | Malicious instructions hidden in retrieved documents, web-search results, tool outputs, or persisted memory are processed by an agent and hijack its decision-making, escalate privileges, trigger unauthorized actions, or exfiltrate data, which is especially dangerous in automated multi-agent workflows. |
| CCC.MARefArc.TH27 | Authorization bypass and tool-chain privilege escalation | Agents discover and invoke API endpoints outside their use case, chain individually authorized calls into unauthorized outcomes, circumvent segregation-of-duties workflows, or experience permission creep during operation, defeating intended authorization boundaries. |
| CCC.MARefArc.TH28 | Tool selection, parameter, and sequencing manipulation | Crafted inputs cause agents to select inappropriate tools, inject malicious parameters into legitimate calls, reorder tool execution into dangerous combinations, corrupt tool-state understanding, or pass one tool's output as malicious input to the next. |
| CCC.MARefArc.TH29 | MCP supply-chain compromise | External MCP servers are compromised, receive poisoned updates, are sabotaged by insiders, or have their protocol and transport manipulated through man-in-the-middle or downgrade attacks, or have connections redirected via DNS and infrastructure attacks, injecting malicious data or logic into services agents consume. |
| CCC.MARefArc.TH32 | Credential harvesting via agent tools and storage | Agents are manipulated into using file, database, API, and cloud-management tools to enumerate and extract credentials from configuration files, environment variables, process memory, databases, key vaults, and instance metadata, and to correlate fragments into full credentials. |