Tool Preferences in Agentic LLMs are Unreliable

TL;DR

This paper reveals that the way tool descriptions are presented to agentic LLMs significantly influences their usage, exposing a vulnerability that can be exploited to unfairly promote certain tools, highlighting the need for more reliable tool selection methods.

Contribution

The study uncovers a vulnerability in tool description protocols that allows manipulation of tool preferences in LLMs, demonstrating the fragility of current methods and the necessity for more robust solutions.

Findings

Edited tool descriptions can increase usage by over 10 times.

Tool preferences are highly sensitive to description wording.

The phenomenon generalizes across multiple models.

Abstract

Large language models (LLMs) can now access a wide range of external tools, thanks to the Model Context Protocol (MCP). This greatly expands their abilities as various agents. However, LLMs rely entirely on the text descriptions of tools to decide which ones to use--a process that is surprisingly fragile. In this work, we expose a vulnerability in prevalent tool/function-calling protocols by investigating a series of edits to tool descriptions, some of which can drastically increase a tool's usage from LLMs when competing with alternatives. Through controlled experiments, we show that tools with properly edited descriptions receive over 10 times more usage from GPT-4.1 and Qwen2.5-7B than tools with original descriptions. We further evaluate how various edits to tool descriptions perform when competing directly with one another and how these trends generalize or differ across a broader set of 17 different models. These phenomena, while giving developers a powerful way to promote their tools, underscore the need for a more reliable foundation for agentic LLMs to select and utilize tools and resources. Our code is publicly available at https://github.com/kazemf78/llm-unreliable-tool-preferences.