
Image credit: Search Engine Journal
Websites globally adopting WebMCP tools risk exposing artificial intelligence agents to hijacking through malicious instructions, requiring immediate implementation of security measures, according to new guidance from Chrome.
The responsibility for safeguarding AI agents from exploitation falls on website owners and tool developers who expose these functionalities to large language models (LLMs) and other AI systems.
Chrome’s security guidance emphasized that WebMCP, which allows websites to expose named tools to AI agents, presents two primary attack vectors: malicious manifests and contaminated outputs. Malicious manifests involve hidden instructions embedded within tool definitions, while contaminated outputs carry malicious instructions within user-generated or third-party data.
LLMs are particularly vulnerable to these attacks because they cannot reliably differentiate between data and commands, making prompt injection a significant concern, the guidance stated.
To mitigate these risks, website owners must utilize specific security annotations within their WebMCP tool definitions. These include untrustedContentHint, which flags potentially unsafe content, and readOnlyHint, indicating that a tool only reads data without making changes.
Additionally, the exposedTo annotation helps control which agents can access specific tools, thereby limiting potential exposure. Chrome also recommended implementing character limits for tool descriptions, capped at 500 characters, and tool outputs, restricted to 1,500 characters.
For critical actions, developers should integrate requestUserInteraction(), a function that prompts users for confirmation before proceeding, adding an essential layer of human oversight.
Similar to public API endpoints, every WebMCP tool requires thorough threat modeling before deployment. This proactive approach helps identify and address potential vulnerabilities before they can be exploited.
The WebMCP specification is currently in a Chrome origin trial, indicating its evolving nature and the ongoing development of its security framework.
Source: Search Engine Journal
Written by
Joyce de Castro
Joyce is a core team member at Rabbit Rank and the lead author covering SEO news, algorithm updates, industry trends, and actionable ranking strategies.
Keep reading
Related Articles

Google AI Mode integrates Calendar for personalized search
Google’s AI Mode now connects with Google Calendar, enabling direct event creation and highly personalized sea...

ChatGPT-referred calls show higher lead rate, average conversion
Invoca’s report reveals ChatGPT-referred calls have a 49% lead rate, 10 points above average, but convert at a...

Google patent suggests ranking content by ‘information gain score’
A Google patent, recently extended, suggests the company may evaluate and rank unique content based on an ‘inf...