seoPublished on July 12, 20266 min read

WebMCP and AI Agents: How Exposed Tools Can Be Hijacked by Prompt Injection

WebMCP allows AI agents to call tools on websites, but it also creates a direct pathway for prompt injection attacks. Find out what Chrome recommends protecting first.

WebMCPPrompt InjectionSegurança em IAAgentes de IAGenerative AISEOAutomação EmpresarialGoogle Chrome
Bitclever AI Research
Author: Bitclever AI Research ## Executive Summary WebMCP, an emerging protocol that allows websites to expose "tools" that AI agents can invoke directly, is gaining traction as a way to make the web more accessible to autonomous agents. However, the Chrome team has already flagged a significant risk: these same tools can become an attack vector through prompt injection, allowing malicious actors to hijack the behaviour of AI agents. This article examines what happened, why this topic matters for businesses investing in AI automation, and what protective measures should be considered now. ## What Happened According to an article published in Search Engine Journal, WebMCP (Web Model Context Protocol) is emerging as an extension of the concept popularised by the Model Context Protocol (MCP), allowing websites to define named and described tools that AI agents can call directly while browsing or interacting with a page. The core idea is simple: instead of an AI agent having to visually "interpret" a web page and simulate clicks or form fills, the site itself exposes structured, documented functions — for example, "add_to_cart", "search_product" or "submit_form" — that the agent can invoke directly and predictably. However, according to the source, the Google Chrome team identified a critical problem with this approach: since the descriptions of these tools are typically processed by the agent's language model as part of its context, a malicious or compromised website can embed hidden instructions within those descriptions. This is a classic "prompt injection" vector, but applied to a new channel — the very tool definitions that the agent is led to trust by default. In practice, this means that an AI agent browsing the web autonomously and interacting with WebMCP tools exposed by untrusted sites can be manipulated into executing unauthorised actions, extracting sensitive data, or deviating from the original task assigned to it by the user or the company operating it. The original source notes that Chrome is already recommending mitigation practices, emphasising the need to treat tool definitions exposed by third-party sites with the same level of scrutiny applied to any untrusted input coming from the open web. ## Why This Matters The emergence of WebMCP fits into a broader trend of transforming the web to become "agent-friendly" — that is, optimised not only for human users but also for AI agents that browse, search and execute tasks autonomously on behalf of users or companies. This trend has direct implications for SEO, digital marketing and generative AI, since the way content and functionality on a website are structured now influences not only ranking on traditional search engines, but also how AI agents "discover" and interact with that same website. However, as this layer of agent-web interaction expands, attack surfaces also multiply. Prompt injection is already recognised as one of the most critical security risks in generative AI systems, and WebMCP, by formalising direct communication channels between websites and agents, creates an additional vector that can be exploited by malicious actors with relative ease — simply by manipulating text that the language model will process as a legitimate instruction. This risk is particularly relevant in a context where more and more companies are adopting AI agents for tasks such as market research, price comparison, automatic form filling, or even negotiation and purchasing on behalf of customers. If these agents are not properly protected, they can become vectors for fraud, data exfiltration or unwanted actions on critical business systems. ## Business Impact For organisations that already use or plan to adopt autonomous AI agents — whether in internal automation processes or in interactions with customers or partners over the web — this development has concrete practical implications: **1. Need for auditing exposed tools:** Companies that expose WebMCP tools on their own websites must ensure that the descriptions of these tools are strictly controlled, sanitised, and cannot be altered by user-generated content or third parties without validation. **2. Extra caution when integrating agents with external websites:** Organisations that use AI agents to interact with third-party sites — for example, to automate purchases, competitive research or information gathering — must assume that any tool exposed by a site not controlled by the company itself may contain malicious instructions. **3. Review of AI governance policies:** This case reinforces the importance of defining clear policies on which actions an AI agent can perform autonomously versus which require human confirmation, especially when the agent interacts with untrusted external systems. **4. Impact on SEO and digital presence strategies:** For digital marketing and SEO teams, this development signals that optimisation for AI agents (an emerging branch of SEO, sometimes referred to as "AEO" — Agent Engine Optimization) will need to include security considerations from the design phase onward, not just discovery and ranking concerns. **5. Reputational and compliance risk:** A hijacked AI agent that performs improper actions on behalf of a company — such as disclosing customer data or carrying out unauthorised transactions — can generate not only direct financial losses, but also reputational damage and potential regulatory compliance issues, especially in sectors subject to GDPR and other data protection standards. ## Bitclever Perspective At Bitclever, we closely monitor the evolution of protocols such as MCP and WebMCP, recognising their enormous potential to transform how businesses automate processes and interact with AI agents. At the same time, we understand that responsible adoption of these technologies requires a security-by-design approach, not an afterthought. For organisations exploring the integration of AI agents into their workflows — whether through advanced RPA, business process automation, or autonomous web interactions — we recommend a careful assessment of three dimensions: (1) which tools and data are being exposed to agents, both internal and external; (2) what validation and sanitisation mechanisms exist to prevent the injection of malicious instructions; and (3) what levels of autonomy are granted to agents in different operational contexts. Our experience in enterprise automation projects, combined with technical expertise in Low-Code platforms such as OutSystems and Appian, as well as in generative AI solutions, allows us to help companies design AI agent architectures that balance productivity and security. This involves implementing validation layers between agents and untrusted external sources, defining clear AI governance policies, and conducting regular audits of existing integrations. Rather than reacting to vulnerabilities as they arise, we believe the key lies in anticipating risks like this during the design phase of any solution based on autonomous agents — ensuring that innovation is not compromised by security, nor security sacrificed in the name of innovation. ## Conclusion The WebMCP case illustrates a recurring pattern in the evolution of generative AI: each new layer of capability and autonomy brings with it new attack surfaces that need to be understood and mitigated before large-scale adoption. For companies that see autonomous AI agents as a genuine opportunity for efficiency gains, the message is clear — technological innovation must go hand in hand with robust security and governance practices. Those who invest today in understanding these risks will be better positioned to capture the benefits of WebMCP and similar technologies, without compromising the trust of their customers or the integrity of their systems.