Agents need tools to interact with the world: APIs, databases, file systems, search engines. Each tool requires a JSON schema definition that the model reads to understand what the tool does and how to call it. A single complex schema (nested objects, enums, parameter descriptions) can consume 500+ tokens.

MCP (Model Context Protocol) has become the standard for connecting agents to external tools. Originally released by Anthropic in November 2024, it is now governed by the Agentic AI Foundation under the Linux Foundation. MCP provides a standardized interface for tool discovery, invocation, and result handling.

MCP solves the connection problem — a universal protocol means tools work across different agent platforms without custom integrations.

MCP does NOT solve the context cost problem — each connected server still adds its tool schemas to the context window. The standardization of the interface doesn’t reduce the token cost of the schemas themselves.

Manus discovered a critical constraint: avoid dynamically adding or removing tools mid-iteration. Tool definitions sit near the front of the context (in the stable prefix zone). Any change to tool definitions invalidates the KV-cache for all subsequent tokens, forcing the model to recompute attention from scratch.

KV-cache invalidation means significant latency spikes every time tools change. In a long-running agent task, dynamically adding a tool mid-conversation can add seconds of recomputation. The practical rule: define your tool set at the start of the session and keep it stable. If you need different tools for different phases, use separate agent sessions.

The model selects tools based on their descriptions, but most MCP server authors write descriptions for humans, not models. Too vague and the model picks the wrong tool. Too verbose and you waste context on a single schema. The quality of tool descriptions directly determines tool selection accuracy.

Tool overlap: Two different MCP servers might offer similar capabilities (two search tools, two file readers). Without deduplication or preference logic, the model picks arbitrarily.

No versioning: When an MCP server updates its tool schemas, the agent has no way to know. Stale descriptions in cache cause silent failures.

No quality standard: MCP standardizes the interface but not description quality, schema conventions, or documentation depth.

Each connected MCP server is an attack surface. Tool outputs can contain prompt injection attempts — malicious instructions embedded in data that the model processes as part of its context. The more tools available, the larger the exposure. A compromised or malicious MCP server can inject instructions that override the agent’s system prompt.

Principle of least privilege: Give agents access only to the tools they need for the current task, not every tool available.

Output sanitization: Filter tool outputs for known injection patterns before injecting into context.

Sandboxing: Run MCP servers in isolated environments with limited permissions.

Audit logging: Log every tool invocation and its output for security review.

Just as Agent Skills use progressive disclosure for instructions (Ch 3), tools can use the same pattern. At startup, the agent sees only tool categories and brief descriptions. When a category is relevant, the full tool schemas load. This prevents 50K tokens of tool schemas from consuming the context before any work begins.

OpenAI’s approach uses dynamic namespacing — agents discover relevant tools on demand instead of being overwhelmed with hundreds of options. The agent starts with a small set of core tools and can request additional tools from specific namespaces when the task requires them. This is the tool equivalent of lazy loading in web development.

The first step in tool management is measuring the problem. Count how many tokens your tool schemas consume before any user interaction. This number is usually higher than expected. For many production systems, tool schemas are the single largest fixed cost in the context window — larger than the system prompt, larger than few-shot examples.

Schema compression: Remove verbose descriptions, simplify parameter names, eliminate optional parameters the agent never uses.

Tool deduplication: When two MCP servers offer similar tools, choose one and remove the other.

Tiered loading: Core tools always loaded; specialized tools loaded on demand.

Schema caching: Use prompt caching to avoid paying for tool schemas on every request.

Description quality standardization: MCP standardizes the interface but not the quality of tool descriptions. A community standard for model-oriented descriptions would dramatically improve tool selection accuracy.

Schema versioning: When MCP servers update their tools, agents need to know. There’s no versioning protocol for tool contracts yet.

Cross-server deduplication: Automatically detecting and resolving overlapping tools across MCP servers remains manual.

Tool registries: Centralized catalogs of MCP servers with quality ratings and compatibility information.

Automatic schema optimization: LLMs that rewrite tool descriptions for better model comprehension.

Tool recommendation: Systems that suggest which tools to load based on the current task, similar to how IDEs suggest imports.