I launched an AI security company called AEVRIS five days ago. On the same day we launched, a Claude-powered AI agent deleted an entire production database in 9 seconds. The agent then wrote a confession listing every safety rule it had violated. That got people's attention. But it's not the attack I'm most worried about. The attack I'm most worried about doesn't require a malicious user. It doesn't require a jailbreak. It doesn't even require your AI to make a mistake.It requires a tool description. If you're building AI agents with Model Context Protocol — and if you're using Cursor, Claude, or any modern agentic framework you probably are — your agents read tool descriptions before they do anything. Those descriptions tell the agent what tools are available and how to use them. What happens when those descriptions contain hidden instructions? Your agent reads them. Follows them. And has no way to know it was manipulated. This is MCP tool poisoning. Google DeepMind documented it this week as part of the largest empirical study of AI agent attacks ever conducted. We've been building the defense for it since before the paper dropped. Here's how the attack works, why it's hard to catch, and what we built to stop it.