This work identifies a novel security threat introduced by the WebMCP protocol, which dynamically exposes tools to AI agents and thereby creates a new attack surface susceptible to runtime manipulation by third-party scripts. The study presents the first characterization of this vulnerability and introduces the "Mid-Session Tool Injection" (MSTI) attack model, encompassing two primary techniques: Tool Hijacking—leveraging the AbortSignal API and race conditions to seize control of tools—and Tool Framing—tampering with tool metadata such as name, description, readOnlyHint, and inputSchema. Empirical evaluation demonstrates that MSTI attacks can effectively disrupt agent behavior. In response, the paper proposes four defense strategies: binding tools to their origins, ensuring lifecycle consistency, isolating third-party tool data boundaries, and maintaining auditable, traceable logs.

WebMCP is a newly emerging protocol that enables websites to expose tools directly to AI agents, bypassing traditional user interfaces and introducing new security risks. The dynamic exposure of agent-accessible tools in WebMCP expands the attack surface of web sessions, especially when third-party scripts are involved. In this study, we identify a new potential threat, termed Mid-Session Tool Injection (MSTI), in which attackers leverage third-party scripts to inject malicious tools during an active session. To better characterize this threat, we classify MSTI based on the stage and target of manipulation, distinguishing between Tool Hijacking and Tool Framing. Tool Hijacking modifies the set of tools visible to the agent through mechanisms such as the AbortSignal API or race conditions during tool registration. In contrast, Tool Framing influences the agent's perception of tool roles through metadata fields such as tool name, description, readOnlyHint, and inputSchema. Our implementation demonstrates that both Tool Hijacking and Tool Framing can successfully disrupt the intended functionality of WebMCP. Based on these results, we outline potential mitigation directions and provide security design recommendations for WebMCP, including binding tool identity to its origin, ensuring lifecycle consistency, enforcing data boundaries for third-party tools, and maintaining traceable logs of tool registration and invocation. These findings indicate that MSTI arises from WebMCP's unique tool lifecycle and structured metadata, making the tool surface itself an emerging security concern.