Capability Laundering

Capability Laundering: The Series So Far This is the third case in an ongoing series documenting capability laundering in MCP ecosystems. Capability laundering is when an agent calls one tool, but gets the effect of a different capability via side effects. It occurs when all three conditions are met: The tool’s contract does not cover its effects — the implementation can produce effects beyond what the tool claims to do. Inputs can steer those effects — arguments can influence which effect happens and what gets modified. Controls gate tool calls, not effects — approvals and policies do not model the effect being produced. The previous two cases: ...

What Happened In our previous analysis, we identified capability laundering in Anthropic’s Memory MCP Server: a “memory storage” tool that could write arbitrary configuration files through unconstrained implementation. This is the second case. The MCP Git Server (mcp-server-git) exposes Git operations to AI agents. The git_init tool accepts arbitrary repo_path values without validation, creating repositories in any filesystem location. Combined with git_diff_staged, this turns a “Git helper” into a credential exfiltration primitive. ...