pith. sign in

arxiv: 2605.21392 · v1 · pith:XHFUQAS7new · submitted 2026-05-20 · 💻 cs.CR

VIPER-MCP: Detecting and Exploiting Taint-Style Vulnerabilities in Model Context Protocol Servers

Pengyu Sun , Qishu Jin , Enhao Huang , Zifeng Kang , Xin Liu , Dakun Shen , Song Li This is my paper

Pith reviewed 2026-05-21 03:37 UTC · model grok-4.3

classification 💻 cs.CR
keywords Model Context Protocoltaint analysisvulnerability detectionLLM agentssecurity auditingzero-day vulnerabilitiesprompt evolutionstatic analysis
0
0 comments X

The pith

VIPER-MCP detects taint-style vulnerabilities in MCP servers and confirms them with evolved natural-language prompts that reach privileged sinks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents an automated auditing system for Model Context Protocol servers that connect large language model agents to tools with shell, network, and file-system access. It argues that standard static taint analysis alone produces too many unverified alerts while fixed prompt templates miss the specific parameter shapes needed to trigger multi-step vulnerabilities. VIPER-MCP therefore adds an anchor-query pass that maps static alerts to concrete MCP tool handlers and a dual-mutator prompt evolution loop that iteratively corrects tool selection and deepens parameter reach until an end-to-end exploit trace is produced. In a scan of nearly 40,000 real-world repositories the system located 106 previously unknown vulnerabilities, every one validated by a working proof-of-concept prompt, and 67 of them received CVE assignments. A sympathetic reader would conclude that natural-language interfaces to privileged operations create a new and systematically exploitable attack surface that existing security tools have not addressed.

Core claim

VIPER-MCP is the first end-to-end framework that both detects taint-style vulnerabilities in MCP servers through a two-pass static analysis and dynamically confirms their exploitability by generating concrete proof-of-concept prompts via feedback-driven dual-mutator evolution, as demonstrated by the discovery of 106 zero-day vulnerabilities across 39,884 open-source repositories, all validated through end-to-end exploit traces with 67 CVE IDs assigned.

What carries the argument

The anchor-query pass that augments taint alerts with function-level structural context to resolve them to specific MCP tool handlers, combined with dual-mutator prompt evolution that independently corrects tool-selection drift and deepens parameter penetration.

If this is right

  • MCP servers that expose shell execution, network access, or file manipulation to LLM-driven calls contain direct natural-language-to-sink paths that can be triggered without traditional code injection.
  • Two-pass analysis that first identifies candidate sinks and then anchors them to concrete tool handlers reduces the file-level noise that defeats standard taint tools on large codebases.
  • Iterative prompt mutation that separately repairs tool choice and parameter depth can reach vulnerabilities requiring specific multi-argument shapes that fixed templates miss.
  • Large-scale scanning of open-source MCP repositories is feasible and yields a high rate of confirmed zero-day findings when dynamic validation is included.
  • Responsible disclosure of all confirmed issues led to 67 CVE assignments, indicating that the discovered flaws are treated as actionable by the affected projects.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Developers of LLM agent platforms may need to treat natural-language inputs to tool handlers with the same strictness currently applied to direct API calls.
  • The approach could be adapted to other agent-tool protocols that similarly expose privileged operations through unstructured command channels.
  • If prompt evolution continues to improve, security testing of agent systems may shift from static code review toward automated red-teaming with generated natural-language inputs.
  • Organizations deploying MCP servers in production environments should consider mandatory input sanitization at the tool-handler boundary rather than relying solely on the LLM's safety training.

Load-bearing premise

The two-pass static analysis and dual-mutator prompt evolution correctly resolve taint paths to exploitable MCP tool handlers without substantial false positives or missed multi-step vulnerabilities.

What would settle it

A manual review of the 106 reported vulnerabilities that finds a substantial fraction cannot be triggered by any natural-language prompt would falsify the claim that the framework produces only confirmed, exploitable results.

Figures

Figures reproduced from arXiv: 2605.21392 by Dakun Shen, Enhao Huang, Pengyu Sun, Qishu Jin, Song Li, Xin Liu, Zifeng Kang.

Figure 1
Figure 1. Figure 1: Motivating example from bytebot: a malicious prompt drives the agent to select computer_write_file, and the attacker-controlled path value propagates into the backend file-write handler. The red lines denote the taint flow. computer_write_file, appears benign at the interface level: it accepts a destination path and Base64-encoded file contents, and is intended to let the agent write a file on the user’s b… view at source ↗
Figure 2
Figure 2. Figure 2: Overview of the VIPER-MCP three-phase pipeline. Phase I, Static Taint Analysis, performs two-pass CodeQL analysis with anchor queries to extract vulnerability-anchored call chains from MCP server source code. Phase II, Dynamic Fuzzing Test, generates seed prompts from the call chains, executes them against the instrumented server via a Surrogate Agent, and iteratively mutates prompts through a structure mu… view at source ↗
Figure 3
Figure 3. Figure 3: [RQ5 (Efficiency Study)] Per-server runtime distribution by pipeline [PITH_FULL_IMAGE:figures/full_fig_p013_3.png] view at source ↗
read the original abstract

Model Context Protocol (MCP) has emerged as a standard interface for connecting LLM agents to external tools. Because MCP servers expose privileged operations such as shell execution, network access, and file-system manipulation to agent-driven invocation, implementation flaws in tool handlers can create a direct path from natural-language input to security-sensitive sinks, potentially granting attackers remote code execution or full system compromise. Existing approaches either produce unconfirmed static alerts without dynamic validation, or rely on fixed template libraries that lack code-level guidance and fail to trigger vulnerabilities requiring specific parameter shapes or multi-step taint paths. In this paper, we present VIPER-MCP, the first end-to-end automated vulnerability auditing framework for MCP servers that not only detects taint-style vulnerabilities but also dynamically confirms their exploitability by producing concrete proof-of-concept prompts. VIPER-MCP introduces two novel techniques: (1) an anchor-query pass in a two-pass static analysis strategy that augments standard taint alerts with function-level structural context, resolving file-level static artifacts to specific MCP tool handlers and producing vulnerability-anchored call chains; and (2) a feedback-driven prompt evolution mechanism that employs dual-mutator scheduling that independently corrects tool-selection drift and deepens parameter penetration, together with fitness-scored seed selection to iteratively refine natural-language prompts toward vulnerable sinks. In a large-scale scan of 39,884 real-world open-source MCP server repositories, VIPER-MCP discovered 106 0-day vulnerabilities, all of which were confirmed through end-to-end exploit traces, with 67 CVE IDs assigned to date. We responsibly disclosed all confirmed findings to the affected developers and coordinated CVE assignment where applicable.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The paper presents VIPER-MCP, the first end-to-end automated vulnerability auditing framework for Model Context Protocol (MCP) servers. It introduces two novel techniques—an anchor-query pass within a two-pass static analysis strategy that augments taint alerts with function-level structural context to resolve to specific MCP tool handlers, and a feedback-driven prompt evolution mechanism using dual-mutator scheduling (correcting tool-selection drift and deepening parameter penetration) with fitness-scored seed selection—to generate concrete proof-of-concept natural-language prompts. In a scan of 39,884 real-world open-source MCP server repositories, the framework identified 106 0-day vulnerabilities, all confirmed through end-to-end exploit traces, with 67 CVE IDs assigned to date; all findings were responsibly disclosed.

Significance. If the results hold, the work is significant because it addresses security risks in the emerging MCP standard for connecting LLM agents to privileged external tools (shell, network, filesystem), where natural-language inputs can reach security-sensitive sinks. The large-scale empirical scan combined with dynamic exploit confirmation and real-world CVE assignments provides concrete evidence of practical impact beyond unvalidated static alerts. Credit is due for the responsible disclosure process and for producing reproducible end-to-end traces rather than relying solely on static analysis or fixed templates.

major comments (2)
  1. [Abstract] Abstract and the paragraphs describing the two novel techniques: the central claim that the anchor-query pass and dual-mutator prompt evolution correctly resolve taint paths to exploitable MCP tool handlers without substantial false positives or missed multi-step vulnerabilities is load-bearing for the reported 106 confirmed 0-days, yet no false-positive rate, error analysis, baseline comparison, or validation methodology for the dynamic confirmation step is supplied.
  2. [Evaluation] Evaluation section (implied by the large-scale scan description): the claim of 106 vulnerabilities 'all of which were confirmed through end-to-end exploit traces' lacks any quantitative details on how confirmation was performed, what constitutes a valid trace, or how many candidate alerts were filtered before confirmation, undermining the ability to assess the soundness of the 106/39,884 yield.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the detailed and constructive review. The comments correctly identify areas where additional methodological transparency would strengthen the paper. We address each point below and will incorporate the suggested clarifications in the revised manuscript.

read point-by-point responses

  1. Referee: [Abstract] Abstract and the paragraphs describing the two novel techniques: the central claim that the anchor-query pass and dual-mutator prompt evolution correctly resolve taint paths to exploitable MCP tool handlers without substantial false positives or missed multi-step vulnerabilities is load-bearing for the reported 106 confirmed 0-days, yet no false-positive rate, error analysis, baseline comparison, or validation methodology for the dynamic confirmation step is supplied.

    Authors: We agree that the absence of explicit false-positive rates, error analysis, and baseline comparisons limits the ability to fully assess the precision of the anchor-query pass and dual-mutator evolution. The manuscript currently emphasizes the end-to-end discovery and confirmation results rather than intermediate validation metrics. In the revision we will add a dedicated subsection in the Evaluation section that reports: (1) a manual audit of a statistically significant sample of static alerts to estimate false-positive rate, (2) an ablation comparing the full two-pass analysis against a standard taint-analysis baseline without the anchor-query pass, and (3) a precise description of the dynamic confirmation protocol, including sandbox setup, success criteria for an exploit trace, and handling of multi-step taint paths. These additions will directly support the claim of 106 confirmed zero-days. revision: yes

  2. Referee: [Evaluation] Evaluation section (implied by the large-scale scan description): the claim of 106 vulnerabilities 'all of which were confirmed through end-to-end exploit traces' lacks any quantitative details on how confirmation was performed, what constitutes a valid trace, or how many candidate alerts were filtered before confirmation, undermining the ability to assess the soundness of the 106/39,884 yield.

    Authors: The current text states that all 106 vulnerabilities were confirmed via end-to-end exploit traces but does not quantify the filtering pipeline or define a valid trace. We will revise the Evaluation section to include these details: the total number of taint alerts produced by static analysis, the number discarded at each filtering stage (e.g., non-MCP-tool handlers, unreachable sinks), the exact criteria for a successful trace (successful invocation of the vulnerable tool handler with attacker-controlled data reaching the security-sensitive sink), and the sandboxed execution environment used for confirmation. This quantitative breakdown will allow readers to evaluate the 106/39,884 yield more rigorously. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper is an empirical large-scale scan of 39,884 external open-source MCP server repositories that reports 106 dynamically confirmed 0-day vulnerabilities and 67 CVE assignments. No derivation chain, equations, fitted parameters, or self-citations appear in the provided abstract or high-level description that reduce the central claims to inputs by construction. The two novel techniques (anchor-query pass and dual-mutator prompt evolution) are presented as methodological contributions whose correctness is evaluated against independent external outcomes (end-to-end exploit traces and CVE records) rather than being tautological. The work is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract contains no mathematical derivations, fitted parameters, or postulated entities; work is a practical security scanning tool whose claims rest on unelaborated implementation assumptions.

pith-pipeline@v0.9.0 · 5852 in / 1248 out tokens · 47860 ms · 2026-05-21T03:37:28.401968+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

45 extracted references · 45 canonical work pages · 6 internal anchors

  1. [1]

    Model context protocol specification,

    Anthropic, “Model context protocol specification,” https://modelcontext protocol.io/, 2024

    work page 2024

  2. [2]

    LangChain MCP adapters,

    LangChain, “LangChain MCP adapters,” https://github.com/langchain-a i/langchain-mcp-adapters, 2025, released February 2025

    work page 2025

  3. [3]

    MCP servers as tools in CrewAI,

    CrewAI Inc., “MCP servers as tools in CrewAI,” https://docs.crewai.co m/en/mcp/overview, 2025

    work page 2025

  4. [4]

    AutoGen MCP tools extension (autogen ext.tools.mcp),

    Microsoft, “AutoGen MCP tools extension (autogen ext.tools.mcp),” ht tps://microsoft.github.io/autogen/stable/reference/python/autogen ext.t ools.mcp.html, 2025

    work page 2025

  5. [5]

    Smithery: The largest open marketplace of MCP servers,

    Smithery AI, “Smithery: The largest open marketplace of MCP servers,” https://smithery.ai/, 2025

    work page 2025

  6. [6]

    Glama: The MCP server registry, inspector & gateway,

    Glama AI, “Glama: The MCP server registry, inspector & gateway,” https://glama.ai/mcp/servers, 2025

    work page 2025

  7. [7]

    PulseMCP: MCP server directory,

    PulseMCP, “PulseMCP: MCP server directory,” https://www.pulsemcp .com/servers, 2025

    work page 2025

  8. [8]

    A measurement study of model context protocol ecosystem.arXiv preprint arXiv:2509.25292, 2025

    H. Guo, Y . Haoet al., “A measurement study of model context protocol ecosystem,” 2025. [Online]. Available: https://arxiv.org/abs/2509.25292

    work page arXiv 2025

  9. [9]

    Mcp-in-sos: Risk assessment framework for open-source mcp servers,

    P. Kumar, M. A. G. Aguileraet al., “Mcp-in-sos: Risk assessment framework for open-source mcp servers,” 2026. [Online]. Available: https://arxiv.org/abs/2603.10194

    work page arXiv 2026

  10. [10]

    Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software,

    J. Newsome and D. Song, “Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software,” inProceedings of the Network and Distributed System Security Symposium (NDSS 2005), 2005. [Online]. Available: https: //bitblaze.cs.berkeley.edu/papers/taintcheck-tr.pdf

    work page 2005

  11. [11]

    ZIPPER: Static taint analysis for PHP applications with inter-procedural control-flow sensitivity,

    X. Wang, Y . Zhaoet al., “ZIPPER: Static taint analysis for PHP applications with inter-procedural control-flow sensitivity,” in34th USENIX Security Symposium (USENIX Security 2025). USENIX Association, 2025. [Online]. Available: https://www.usenix.org/confere nce/usenixsecurity25/presentation/wang-xinyi

    work page 2025

  12. [12]

    Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions

    X. Hou, Y . Zhaoet al., “Model context protocol (mcp): Landscape, security threats, and future research directions,” 2025. [Online]. Available: https://arxiv.org/abs/2503.23278

    work page internal anchor Pith review Pith/arXiv arXiv 2025

  13. [13]

    Mcp safety audit: Llms with the model context protocol allow major security exploits,

    B. Radosevich and J. Halloran, “Mcp safety audit: Llms with the model context protocol allow major security exploits,” 2025. [Online]. Available: https://arxiv.org/abs/2504.03767

    work page arXiv 2025

  14. [14]

    Prompt Injection Attack to Tool Selection in LLM Agents

    J. Shi, Z. Yuanet al., “Prompt injection attack to tool selection in llm agents,” 2025. [Online]. Available: https://arxiv.org/abs/2504.19793

    work page internal anchor Pith review Pith/arXiv arXiv 2025

  15. [15]

    Make agent defeat agent: Automatic detection of Taint-Style vulnerabilities in LLM-based agents,

    F. Liu, Y . Zhanget al., “Make agent defeat agent: Automatic detection of Taint-Style vulnerabilities in LLM-based agents,” in34th USENIX Security Symposium (USENIX Security 25). Seattle, W A: USENIX Association, Aug. 2025, pp. 3767–3786. [Online]. Available: https: //www.usenix.org/conference/usenixsecurity25/presentation/liu-fengyu

    work page 2025

  16. [16]

    Bytebot: Open-source computer-use agent,

    Bytebot AI, “Bytebot: Open-source computer-use agent,” https://github .com/bytebot-ai/bytebot, 2025

    work page 2025

  17. [17]

    Don’t believe everything you read: Understanding and measuring mcp behavior under misleading tool descriptions,

    Z. Li, B. Maet al., “Don’t believe everything you read: Understanding and measuring mcp behavior under misleading tool descriptions,” 2026. [Online]. Available: https://arxiv.org/abs/2602.03580

    work page arXiv 2026

  18. [18]

    Auditing mcp servers for over-privileged tool capabilities,

    C. Huang, X. Huanget al., “Auditing mcp servers for over-privileged tool capabilities,” 2026. [Online]. Available: https://arxiv.org/abs/2603 .21641

    work page 2026

  19. [19]

    Securing the AI agent supply chain with Cisco’s open-source MCP scanner,

    Cisco, “Securing the AI agent supply chain with Cisco’s open-source MCP scanner,” https://blogs.cisco.com/ai/securing-the-ai-agent-suppl y-chain-with-ciscos-open-source-mcp-scanner, 2025

    work page 2025

  20. [20]

    Directed greybox fuzzing,

    M. B ¨ohme, V .-T. Phamet al., “Directed greybox fuzzing,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’17. New York, NY , USA: Association for Computing Machinery, 2017, p. 2329–2344. [Online]. Available: https://doi.org/10.1145/3133956.3134020

    work page doi:10.1145/3133956.3134020 2017

  21. [21]

    Model context protocol (mcp) at first glance: Studying the security and maintainability of mcp servers,

    M. M. Hasan, H. Liet al., “Model context protocol (mcp) at first glance: Studying the security and maintainability of mcp servers,”

    work page

  22. [22]

    Model Context Protocol (MCP) at First Glance: Studying the Security and Maintainability of MCP Servers

    [Online]. Available: https://arxiv.org/abs/2506.13538

    work page internal anchor Pith review Pith/arXiv arXiv

  23. [23]

    Hawkeye: Towards a desired directed grey- box fuzzer,

    H. Chen, Y . Xueet al., “Hawkeye: Towards a desired directed grey- box fuzzer,” inProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS ’18). ACM, 2018, pp. 2095–2108

    work page 2018

  24. [24]

    A survey of taint analysis for software security,

    Z. Huang and L. Tan, “A survey of taint analysis for software security,” ACM Computing Surveys, 2024

    work page 2024

  25. [25]

    TAJ: Effective taint analysis of web applications,

    M. Sridharan, S. Chandraet al., “TAJ: Effective taint analysis of web applications,” inProceedings of the 2008 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2008). ACM, 2008, pp. 199–209

    work page 2008

  26. [26]

    TRANSPARENT: Taint-style vulnerability detection in generic single page applications,

    S. Diwangkara, Y . Caoet al., “TRANSPARENT: Taint-style vulnerability detection in generic single page applications,” in Proceedings of the 2026 Network and Distributed System Security Symposium (NDSS 2026). Internet Society, 2026. [Online]. Available: https://www.ndss-symposium.org/ndss-paper/transparent-taint-style-vul nerability-detection-in-generic-si...

    work page 2026

  27. [27]

    DTaint: Detecting the taint-style vulnerability in embedded device firmware,

    J. Huang, Y . Xueet al., “DTaint: Detecting the taint-style vulnerability in embedded device firmware,” in2018 IEEE International Conference on Software Quality, Reliability and Security (QRS). IEEE, 2018, pp. 180–187

    work page 2018

  28. [28]

    NodeMedic-FINE: Automatic detection and exploit synthesis for Node.js vulnerabilities,

    Z. Yu, X. Liuet al., “NodeMedic-FINE: Automatic detection and exploit synthesis for Node.js vulnerabilities,” inProceedings of the 2026 Network and Distributed System Security Symposium (NDSS 2026). Internet Society, 2026. [Online]. Available: https: //www.ndss-symposium.org/ndss-paper/nodemedic-fine-automatic-det ection-and-exploit-synthesis-for-node-js-...

    work page 2026

  29. [29]

    PentestGPT: An LLM-empowered automatic penetration testing tool,

    G. Deng, Y . Liuet al., “PentestGPT: An LLM-empowered automatic penetration testing tool,”arXiv preprint arXiv:2408.06764, 2024. [Online]. Available: https://arxiv.org/abs/2408.06764

    work page arXiv 2024

  30. [30]

    Artemis: Toward accurate detection of server-side request forgeries through LLM-assisted inter-procedural path-sensitive taint analysis,

    Y . Ji, T. Daiet al., “Artemis: Toward accurate detection of server-side request forgeries through LLM-assisted inter-procedural path-sensitive taint analysis,”ACM Transactions on Software Engineering and Method- ology, vol. 34, no. 3, 2025

    work page 2025

  31. [31]

    FirmAgent: Leveraging fuzzing to assist LLM agents with IoT firmware vulnerability discovery,

    J. Ji, C. Zhanget al., “FirmAgent: Leveraging fuzzing to assist LLM agents with IoT firmware vulnerability discovery,” inProceedings of the 2026 Network and Distributed System Security Symposium (NDSS 2026). Internet Society, 2026. [Online]. Available: https: //www.ndss-symposium.org/ndss-paper/firmagent-leveraging-fuzzing-t o-assist-llm-agents-with-iot-f...

    work page 2026

  32. [32]

    Chainfuzzer: Greybox fuzzing for workflow-level multi-tool vulnerabilities in llm agents,

    J. Wu, Z. Yaoet al., “Chainfuzzer: Greybox fuzzing for workflow-level multi-tool vulnerabilities in llm agents,” 2026. [Online]. Available: https://arxiv.org/abs/2603.12614

    work page arXiv 2026

  33. [33]

    Chain-of-thought prompting elicits reasoning in large language models,

    J. Wei, X. Wanget al., “Chain-of-thought prompting elicits reasoning in large language models,” inProceedings of the 36th International Conference on Neural Information Processing Systems, ser. NIPS ’22. Red Hook, NY , USA: Curran Associates Inc., 2022

    work page 2022

  34. [34]

    National vulnerability database (NVD),

    National Institute of Standards and Technology, “National vulnerability database (NVD),” https://nvd.nist.gov/, 2025. 14

    work page 2025

  35. [35]

    GitHub advisory database,

    GitHub, “GitHub advisory database,” https://github.com/advisories, 2025

    work page 2025

  36. [36]

    ChatGLM: A Family of Large Language Models from GLM-130B to GLM-4 All Tools

    T. GLM, A. Zenget al., “Chatglm: A family of large language models from glm-130b to glm-4 all tools,” 2024. [Online]. Available: https://arxiv.org/abs/2406.12793

    work page internal anchor Pith review Pith/arXiv arXiv 2024

  37. [37]

    The Llama 3 Herd of Models

    A. Grattafiori, A. Dubeyet al., “The llama 3 herd of models,” 2024. [Online]. Available: https://arxiv.org/abs/2407.21783

    work page internal anchor Pith review Pith/arXiv arXiv 2024

  38. [38]

    Qwen3 Technical Report

    A. Yang, A. Liet al., “Qwen3 technical report,” 2025. [Online]. Available: https://arxiv.org/abs/2505.09388

    work page internal anchor Pith review Pith/arXiv arXiv 2025

  39. [39]

    Introducing Claude Haiku 4.5,

    Anthropic, “Introducing Claude Haiku 4.5,” https://www.anthropic.co m/news/claude-haiku-4-5, Oct. 2025

    work page 2025

  40. [40]

    Introducing GPT-5.4 mini and nano,

    OpenAI, “Introducing GPT-5.4 mini and nano,” https://openai.com/ind ex/introducing-gpt-5-4-mini-and-nano/, Mar. 2026

    work page 2026

  41. [41]

    Safety tax: Safety alignment makes your large reasoning models less reasonable

    T. Huang, S. Huet al., “Safety tax: Safety alignment makes your large reasoning models less reasonable,” 2025. [Online]. Available: https://arxiv.org/abs/2503.00555

    work page arXiv 2025

  42. [42]

    metatrader-4-mcp: MCP MetaTrader 4 server,

    8nite, “metatrader-4-mcp: MCP MetaTrader 4 server,” https://github.c om/8nite/metatrader-4-mcp, 2025

    work page 2025

  43. [43]

    docker-mcp: A powerful MCP server for Docker operations,

    zskycode, “docker-mcp: A powerful MCP server for Docker operations,” https://github.com/zskycode/docker-mcp, 2025. 15 APPENDIXA SINKFUNCTIONS INBASELINEQL RULES TABLE VII: Sink functions and sink categories used by the Phase I baseline QL rules. We list the concrete sink names explicitly enumerated in our rules; for JS/TS path traversal, we expand the fil...

    work page 2025

  44. [44]

    Structure Mutator: Rewrite the prompt framing when the agent drifted, chose the wrong tool, or failed to stay on the intended tool path

    work page

  45. [45]

    trigger_stage

    Parameter Mutator: Keep the same task and tool path, but change the concrete parameter or argument value so it is more likely to reach the sink. Think step by step: Step 1 - Assess tool-path status: Examine the structure score and the agent response; if the target tool was not invoked and the structure score is low (e.g., < 7), the primary bottleneck is t...

    work page