Tencent's WeKnora agent framework (versions prior to 0.3.0) contains a vulnerability in its MCP client implementation that enables a novel attack category: tool execution hijacking. By registering a malicious MCP server, an attacker can silently overwrite legitimate tool pointers in the agent's tool registry, then feed indirect prompt injections to the LLM through those substituted tools.
Unlike traditional prompt injection — which targets the model's input — this attack corrupts the agent's tool registry at the infrastructure level. The model continues to believe it is calling trusted, legitimate tools while it is actually routing calls through attacker-controlled endpoints. This allows the attacker to exfiltrate sensitive context (conversation history, API credentials, user data) without triggering behavioral guardrails that monitor for suspicious prompts.
Any enterprise deployment of WeKnora pre-0.3.0 with dynamic MCP server registration enabled is fully exposed. The attack requires only the ability to register an MCP server — no model access or direct user interaction required. Exfiltrated data includes anything flowing through the compromised tool channel.
Immediate recommendation: Upgrade to WeKnora 0.3.0 immediately. Audit all registered MCP servers for provenance and cryptographic identity. Disable dynamic MCP server registration where not operationally required.