Add WebMCP to your website, and you hand visiting AI agents a set of named tools to call. Those same tools can be used to turn the agents against the people who sent them. Chrome’s developer site now carries the security guidance for WebMCP, and much of it is written for the websites exposing the tools rather than the companies building the agents. Make your website agent-ready with WebMCP, and you have also opened an attack surface, and closing it is your job, not the agent’s.
For two years, the agent-readiness conversation has been about access: Can an agent reach your content, read your page, finish your checkout? WebMCP is the version where you stop hoping an agent figures your website out from the markup and start handing it named tools to call. That is the more useful protocol, and it is the direction the agentic web’s protocol layer is moving. It is also where being legible to an agent and being safe for an agent stop being the same property.
Chrome Named Two Ways Agents Get Hijacked Through WebMCP
Chrome’s agent-security guidance describes two attack vectors, and both arrive through the tools a website exposes. The first is the malicious manifest. In Chrome’s words, “Websites may have tool definitions with hidden instructions, in tool names, parameters, or descriptions, designed to hijack the agent.” A tool’s description is text the agent reads to decide how to use the tool, so a description can carry an instruction the agent was never meant to follow.
The second vector is the one most websites will actually hit, and it needs no malicious website at all. Chrome calls it a contaminated output: “Real-time tool responses from otherwise trustworthy sites might include malicious instructions as part of third-party data, such as user comments.” A tool on your own website that returns your product reviews, your comment threads, your forum posts, or your support replies is returning text other people wrote. If one of those people planted an instruction inside a review, your legitimate tool has handed it to the agent as if it came from you. The payload is your own user-generated content, and you invited it in.
This works because of something that is not a bug and will not be patched. “LLMs treat all text, instructions and user data, as a single sequence of tokens,” the guidance says, so the model cannot reliably separate the part you meant as data from the part an attacker meant as a command. That is why Chrome says “the probabilistic nature of LLMs makes it impossible to guarantee safety inside the model itself.” This is the same prompt-injection problem that has no clean fix inside the model, now wearing a protocol. WebMCP gives that attack a clean, structured delivery route through the tools you published on purpose.
Making A Website Agent-Ready Now Includes Making It Agent-Safe
Chrome’s guidance puts the obligation on the website, not only on the agent. Chrome’s tool-security document opens with a line aimed…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]