REVIEW 3 major objections 2 minor 78 references
Standard memorization detectors fail when LLMs train on laundered surrogates of proprietary data; SDR restores the signal by synthesizing training-like queries.
Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →
T0 review · grok-4.5
2026-07-13 14:07 UTC pith:3L2HJXP4
load-bearing objection Wrong full text in the package (MCP/Connor, 2604.01905); for the titled data-laundering paper we only have a coherent abstract, so the MIMIR/SDR claims are unverified. the 3 major comments →
Combating Data Laundering in LLM Training
The pith
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
When an LLM is trained only on laundered surrogates of proprietary data, standard query-with-originals detectors lose the memorization gap between candidates and references. Synthesis Data Reversion (SDR) can recover a useful gap without knowing the laundering transform: an auxiliary model, guided by a discrete goal plus iteratively refined details, synthesizes queries that make the target model again assign stronger detection signals to the proprietary material than to held-out text.
What carries the argument
Synthesis Data Reversion (SDR): a constrained search over natural-language transformations, cast as a high-level goal (e.g., “lyrical rewriting”) plus fine-grained details (e.g., “with vivid imagery”), that an auxiliary LLM uses to map originals into training-like queries optimized to maximize the target model’s detection signal.
Load-bearing premise
An auxiliary LLM, given only a guessed high-level rewrite goal and iteratively refined details, can produce queries close enough to the unknown training-time laundering distribution that memorization signals reappear on the target model.
What would settle it
Run SDR against a held-out laundering transform that is deliberately outside the goal-details vocabulary the method searches; if candidate-reference signal separation stays collapsed on MIMIR-style splits for the same model families, the central recovery claim fails.
If this is right
- Auditors can keep using raw proprietary originals even when they suspect the model was trained only on rewritten surrogates.
- Data-provenance checks become laundering-aware without requiring disclosure or recovery of the exact transform.
- Marketplace and rights-holder tooling can add an SDR-style synthesis stage before applying existing loss- or confidence-based detectors.
- Laundering that stays within common stylistic or structural rewrite goals remains detectable; completely novel transforms would need further search extensions.
Where Pith is reading between the lines
- If goal-details search is cheap, adversaries may escalate to multi-hop or adversarial laundering designed to sit outside common rewrite goals, creating an arms race over the abstraction vocabulary.
- The same synthesis idea could be inverted: a defender might generate “laundered-looking” canaries at training time so that later detection remains robust even under style transfer.
- Success of SDR suggests memorization is partly style-invariant at the semantic level once the surface form is recovered, which has implications for how tightly style and content are bound in current LLM training.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The submission is labeled as arXiv:2604.01904, “Combating Data Laundering in LLM Training.” The abstract claims that standard query-with-originals memorization detectors fail under data laundering (training on semantics-preserving stylistic/structural surrogates), and that Synthesis Data Reversion (SDR)—a goal-details search over natural-language transforms via an auxiliary LLM—restores candidate–reference detection signals on MIMIR across diverse laundering practices and Pythia/Llama2/Falcon targets. The supplied full manuscript text, however, is an entirely different work: “From Component Manipulation to System Compromise: Understanding and Detecting Malicious MCP Servers” (arXiv:2604.01905), which constructs a 114-server component-centric PoC dataset and proposes Connor, a two-stage behavioral-deviation detector for malicious MCP servers. No methods, theorems, algorithms, ablations, or result tables for SDR or data-laundering detection appear in the provided full text.
Significance. If the abstract’s claims for SDR were substantiated, the work would be a useful practical contribution to post-hoc training-data auditing under an increasingly realistic threat model (provenance obfuscation via laundering). The goal-details abstraction and iterative synthesis idea is a plausible way to make an unbounded transform space searchable. Those claims cannot be assessed from the package as delivered, because the full manuscript does not describe SDR, MIMIR experiments, or laundering-aware detection at all. The MCP/Connor manuscript that is present is a separate, potentially significant systems-security contribution, but it is not the paper under review as identified by paper_id, title, and abstract.
major comments (3)
- Package mismatch (title/abstract vs. full text): The review package identifies arXiv:2604.01904 (data laundering / SDR). The full manuscript is instead the MCP/Connor paper (arXiv:2604.01905). None of the abstract’s load-bearing claims—brittleness of query-with-originals under laundering, the SDR goal-details procedure, or consistent restoration of detection signals on MIMIR for Pythia/Llama2/Falcon—can be verified. This is not a presentation issue; it blocks evaluation of the stated contribution.
- Unverifiable central empirical claim: The abstract asserts that SDR “consistently restores detection signals” on MIMIR against diverse laundering practices and three model families. Without the corresponding methods section, baselines, ablations, metrics, or tables, this claim cannot be audited for soundness, effect sizes, or failure modes.
- Load-bearing synthesis-fidelity assumption (abstract only): SDR is said to search a goal-details abstraction so that synthesized queries elicit stronger target-model detection signals, while the true laundering map and laundered corpus remain undisclosed. Because the search objective is the same family of memorization signals used for detection, there is a concrete circularity risk: the procedure may discover high-likelihood stylistic rewrites rather than recover training-time exposure. The manuscript as provided contains no experiment that separates these explanations (e.g., held-out laundering transforms, non-training high-signal controls, or recovery-vs-detection ablations).
minor comments (2)
- The abstract alone is clear on threat model and high-level method, but notation for “goal” vs. “details,” the auxiliary LLM’s role, and the exact detection statistic (loss, confidence, etc.) are undefined without the missing body.
- If the intended submission is the MCP/Connor manuscript present in the full text, the package must be re-identified (title, abstract, paper_id) and resubmitted for review under that identity; the current abstract does not describe that work.
Circularity Check
No derivation circularity in the supplied full manuscript (MCP/Connor); empirical attack construction and behavioral-deviation detection do not reduce claims to their inputs by construction.
full rationale
The full manuscript provided is the MCP/Connor paper (component-centric malicious MCP servers and a two-stage behavioral deviation detector), not the data-laundering/SDR abstract labeled 2604.01904. Within that manuscript there is no first-principles derivation chain that could be circular: influence paths are enumerated from a finite signature space (Med, Stage, Sink, Carrier), PoCs are expert-instantiated under explicit technique–component compatibility constraints, ASR is measured empirically across hosts/LLMs, and Connor’s detector is defined as runtime deviation from extracted function intent rather than as a fitted redefinition of the evaluation metric. Self-citations to the authors’ prior malicious-package work supply reusable building blocks (sensitive-API lists, shell-command analysis) but are not load-bearing uniqueness theorems that force the central claims. Evaluation on the authors’ own 114 PoCs is standard for a new threat class and is supplemented by external PoCs and real-world marketplace scanning; success is not defined as recovering a quantity that was fitted into the method. No self-definitional equations, fitted-input-as-prediction, or ansatz-via-self-citation reductions appear. Score 0 is therefore appropriate for the paper that was actually supplied. (Package mismatch with the SDR abstract is a review-integrity issue, not a circularity finding about either paper’s math.)
Axiom & Free-Parameter Ledger
axioms (4)
- domain assumption Memorization-based detection signals (e.g., higher confidence or lower loss on training-like text vs. held-out references) remain informative when the query distribution is close enough to the training distribution, even if not identical to the original proprietary text.
- domain assumption Data laundering consists of semantics-preserving stylistic or structural transformations that obfuscate provenance while remaining useful for training.
- ad hoc to paper A goal-details abstraction (high-level transformation goal + fine-grained details) sufficiently constrains the unbounded space of natural-language transforms so that iterative refinement can find detection-useful surrogates without recovering the true laundering map.
- domain assumption The auditor has raw proprietary data, a held-out non-training reference corpus, and query access to the target LLM, but not the laundering transform or laundered corpus.
invented entities (2)
-
Synthesis Data Reversion (SDR)
no independent evidence
-
goal-details abstraction for natural-language transformations
no independent evidence
read the original abstract
Post-hoc unauthorized-training data detection for large language models (LLMs) typically assumes a query-with-originals regime: rights holders query a target LLM with raw proprietary data and assess whether the model assigns them stronger memorization-based detection signals, e.g., higher confidence or lower loss, than held-out non-training reference texts. We show that this regime becomes brittle under data laundering, where the target LLM is trained on semantics-preserving but stylistically or structurally transformed surrogates of proprietary data to obfuscate provenance. Since training-time exposure occurs in the laundered form, memorization signals may no longer appear on the originals, collapsing the candidate-reference signal separation that standard detectors rely on. We counter this threat by studying laundering-aware detection with raw proprietary data, a held-out reference corpus, and query access to the target LLM, while the laundering transformation is undisclosed. Since exact recovery of the laundered corpus is infeasible, we infer a detection-useful synthesis process via an auxiliary LLM that maps originals into training-like queries. To make this search tractable, we introduce Synthesis Data Reversion (SDR), which constrains the unbounded space of natural-language transformations through a goal-details abstraction: a high-level transformation goal, e.g., "lyrical rewriting", and fine-grained details, e.g., "with vivid imagery". SDR identifies the most likely goal and iteratively refines details so synthesized queries elicit stronger target-model detection signals. Evaluated on the MIMIR benchmark against diverse laundering practices and target LLM families (Pythia, Llama2, and Falcon), SDR consistently restores detection signals, offering a practical auditing layer against data laundering.
Reference graph
Works this paper leans on
-
[1]
The work-averse cyberattacker model: theory and evidence from two million attack signatures
Luca Allodi, Fabio Massacci, and Julian Williams. The work-averse cyberattacker model: theory and evidence from two million attack signatures. Risk Analysis, 42(8):1623–1642, 2022
2022
-
[2]
antgroup. Mcpscan. https://github.com/antgroup/MCPScan, 2025
2025
-
[3]
Introducing the model context protocol
anthropic. Introducing the model context protocol. https://www.anthropic.com/news/model-context-protocol, 2024
2024
-
[4]
Manish Bhatt, Vineeth Sai Narajala, and Idan Habler. Etdi: Mitigating tool squatting and rug pull attacks in model context protocol (mcp) by using oauth-enhanced tool definitions and policy-based access control.arXiv preprint arXiv:2506.01333, 2025
Pith/arXiv arXiv 2025
-
[5]
Agentbound: Securing execution boundaries of ai agents
Christoph Bühler, Matteo Biagiola, Luca Di Grazia, and Guido Salvaneschi. Agentbound: Securing execution boundaries of ai agents. InProceedings of the 34th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, page 24, 2026
2026
-
[6]
Claude. Claude. https://claude.ai/, 2023
2023
-
[7]
Connect claude code to tools via mcp
Claude. Connect claude code to tools via mcp. https://code.claude.com/docs/en/mcp, 2025
2025
-
[8]
Introducing claude 4
Claude. Introducing claude 4. https://www.anthropic.com/news/claude-4, 2025
2025
-
[9]
Introducing claude sonnet 4.5
Claude. Introducing claude sonnet 4.5. https://www.anthropic.com/news/claude-sonnet-4-5, 2025
2025
-
[10]
Cursor. Cursor. https://cursor.com, 2023
2023
-
[11]
Cursor agent
Cursor. Cursor agent. https://cursor.com/cn/docs/agent/overview#tools, 2025
2025
-
[12]
Cursor directory - cursor rules & mcp servers
Cursor. Cursor directory - cursor rules & mcp servers. https://cursor.directory/, 2025
2025
-
[13]
Model context protocol (mcp) | cursor docs
Cursor. Model context protocol (mcp) | cursor docs. https://cursor.com/docs/context/mcp, 2025
2025
-
[14]
Deepseek-v3.1
DeepSeek. Deepseek-v3.1. https://api-docs.deepseek.com/news/news250821, 2025
2025
-
[15]
Abul Ehtesham, Aditi Singh, Gaurav Kumar Gupta, and Saket Kumar. A survey of agent interoperability protocols: Model context protocol (mcp), agent communication protocol (acp), agent-to-agent protocol (a2a), and agent network protocol (anp).arXiv preprint arXiv:2505.02279, 2025
Pith/arXiv arXiv 2025
-
[16]
Junfeng Fang, Zijun Yao, Ruipeng Wang, Haokai Ma, Xiang Wang, and Tat-Seng Chua. We should identify and mitigate third-party safety risks in mcp-powered agent systems.arXiv preprint arXiv:2506.13666, 2025
Pith/arXiv arXiv 2025
-
[17]
Enhanced prompting framework for code summarization with large language models
Minying Fang, Xing Yuan, Yuying Li, Haojie Li, Chunrong Fang, and Junwei Du. Enhanced prompting framework for code summarization with large language models. InProceedings of the 34th International Symposium on Software Testing and Analysis, 2025
2025
-
[18]
Mcp json configuration
FastMcp. Mcp json configuration. https://gofastmcp.com/integrations/mcp-json-configuration, 2025
2025
-
[19]
Pengfei Gao, Zhao Tian, Xiangxin Meng, Xinchen Wang, Ruida Hu, Yuanan Xiao, Yizhou Liu, Zhao Zhang, Junjie Chen, Cuiyun Gao, et al. Trae agent: An llm-based agent for software engineering with test-time scaling.arXiv preprint arXiv:2507.23370, 2025
Pith/arXiv arXiv 2025
-
[20]
Malguard: towards real-time, accurate, and actionable detection of malicious packages in pypi ecosystem
Xingan Gao, Xiaobing Sun, Sicong Cao, Kaifeng Huang, Di Wu, Xiaolei Liu, Xingwei Lin, and Yang Xiang. Malguard: towards real-time, accurate, and actionable detection of malicious packages in pypi ecosystem. InProceedings of the 34th USENIX Conference on Security Symposium, 2025
2025
-
[21]
Github copilot·your ai pair programmer
GitHub. Github copilot·your ai pair programmer. https://github.com/features/copilot, 2021
2021
-
[22]
Extending github copilot coding agent with the model context protocol (mcp)
GitHub. Extending github copilot coding agent with the model context protocol (mcp). https://docs.github.com/en/enterprise-cloud@latest/copilot/ how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp?utm_source=chatgpt.com, 2025
2025
-
[23]
Popular mcp servers
Glama. Popular mcp servers. https://glama.ai/mcp/servers, 2025
2025
-
[24]
Gemini 3
Google. Gemini 3. https://aistudio.google.com/models/gemini-3, 2025
2025
-
[25]
Gtfobins
GTFOBins. Gtfobins. https://gtfobins.github.io/, 2022
2022
-
[26]
A measurement study of model context protocol ecosystem.arXiv preprint arXiv:2509.25292, 2025
Hechuan Guo, Yongle Hao, Yue Zhang, Minghui Xu, Peizhuo Lv, Jiezhi Chen, and Xiuzhen Cheng. A measurement study of model context protocol ecosystem.arXiv preprint arXiv:2509.25292, 2025
arXiv 2025
-
[27]
Large language model based multi-agents: A survey of progress and challenges
Taicheng Guo, Xiuying Chen, Yaqi Wang, Ruidi Chang, Shichao Pei, Nitesh V Chawla, Olaf Wiest, and Xiangliang Zhang. Large language model based multi-agents: A survey of progress and challenges. InProceedings of the 33th International Joint Conference on Artificial Intelligence, pages 8048–8057, 2024
2024
-
[28]
An empirical study of malicious code in pypi ecosystem
Wenbo Guo, Zhengzi Xu, Chengwei Liu, Cheng Huang, Yong Fang, and Yang Liu. An empirical study of malicious code in pypi ecosystem. In Proceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering, pages 166–177, 2023
2023
-
[29]
Systematic analysis of mcp security.arXiv preprint arXiv:2508.12538, 2025
Yongjian Guo, Puzhuo Liu, Wanlun Ma, Zehang Deng, Xiaogang Zhu, Peng Di, Xi Xiao, and Sheng Wen. Systematic analysis of mcp security.arXiv preprint arXiv:2508.12538, 2025
Pith/arXiv arXiv 2025
-
[30]
damn-vulnerable-mcp-server
harishsg993010. damn-vulnerable-mcp-server. https://github.com/harishsg993010/damn-vulnerable-MCP-server, 2025
2025
-
[31]
Mohammed Mehedi Hasan, Hao Li, Emad Fallahzadeh, Gopi Krishnan Rajbahadur, Bram Adams, and Ahmed E Hassan. Model context protocol (mcp) at first glance: Studying the security and maintainability of mcp servers.arXiv preprint arXiv:2506.13538, 2025
Pith/arXiv arXiv 2025
-
[32]
Mohammed Mehedi Hasan, Hao Li, Gopi Krishnan Rajbahadur, Bram Adams, and Ahmed E Hassan. Model context protocol (mcp) tool descriptions are smelly! towards improving ai agent efficiency with augmented mcp tool descriptions.arXiv preprint arXiv:2602.14878, 2026
Pith/arXiv arXiv 2026
-
[33]
Ping He, Changjiang Li, Binbin Zhao, Tianyu Du, and Shouling Ji. Automatic red teaming llm-based agents with model context protocol tools.arXiv preprint arXiv:2509.21011, 2025. Manuscript submitted to ACM 28 Huang et al
arXiv 2025
-
[34]
Model context protocol (mcp): Landscape, security threats, and future research directions
Xinyi Hou, Yanjie Zhao, Shenao Wang, and Haoyu Wang. Model context protocol (mcp): Landscape, security threats, and future research directions. arXiv preprint arXiv:2503.23278, 2025
Pith/arXiv arXiv 2025
-
[35]
Donapi: Malicious npm packages detector using behavior sequence knowledge mapping
Cheng Huang, Nannan Wang, Ziyan Wang, Siqi Sun, Lingzi Li, Junren Chen, Qianchong Zhao, Jiaxuan Han, Zhen Yang, and Lei Shi. Donapi: Malicious npm packages detector using behavior sequence knowledge mapping. InProceedings of the 33rd USENIX Security Symposium, 2024
2024
-
[36]
Spiderscan: Practical detection of malicious npm packages based on graph-based behavior modeling and matching
Yiheng Huang, Ruisi Wang, Wen Zheng, Zhuotong Zhou, Susheng Wu, Shulin Ke, Bihuan Chen, Shan Gao, and Xin Peng. Spiderscan: Practical detection of malicious npm packages based on graph-based behavior modeling and matching. InProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering, pages 1146–1158, 2024
2024
-
[37]
Profmal: Detecting malicious npm packages by the synergy between static and dynamic analysis
Yiheng Huang, Wen Zheng, Susheng Wu, Bihuan Chen, You Lu, Zhuotong Zhou, Yiheng Cao, Xiaoyu Li, and Xin Peng. Profmal: Detecting malicious npm packages by the synergy between static and dynamic analysis. InProceedings of the 40th IEEE/ACM International Conference on Automated Software Engineering, 2025
2025
-
[38]
Mcp security notification: Tool poisoning attacks
Invariantlabs. Mcp security notification: Tool poisoning attacks. https://invariantlabs.ai/blog/mcp-security-notification-tool-poisoning-attacks, 2025
2025
-
[39]
Whatsapp mcp exploited: Exfiltrating your message history via mcp
Invariantlabs. Whatsapp mcp exploited: Exfiltrating your message history via mcp. https://invariantlabs.ai/blog/whatsapp-mcp-exploited, 2025
2025
-
[40]
mcp-scan
invariantlabs ai. mcp-scan. https://github.com/invariantlabs-ai/mcp-scan, 2025
2025
-
[41]
Mcip: Protecting mcp safety via model contextual integrity protocol
Huihao Jing, Haoran Li, Wenbin Hu, Qi Hu, Xu Heli, Tianshu Chu, Peizhao Hu, and Yangqiu Song. Mcip: Protecting mcp safety via model contextual integrity protocol. InProceedings of the 2025 Conference on Empirical Methods in Natural Language Processing, pages 1177–1194, 2025
2025
-
[42]
Joern - the bug hunter’s workbench
Joern. Joern - the bug hunter’s workbench. https://joern.io/, 2019
2019
-
[43]
3 malicious mcp servers found on pypi
Guy Korolevski. 3 malicious mcp servers found on pypi. https://research.jfrog.com/post/3-malicious-mcps-pypi-reverse-shell/, 2026
2026
-
[44]
Mcp guardian: A security-first layer for safeguarding mcp-based ai system
Sonu Kumar, Anubhav Girdhar, Ritesh Patil, and Divyansh Tripathi. Mcp guardian: A security-first layer for safeguarding mcp-based ai system. arXiv preprint arXiv:2504.12757, 2025
Pith/arXiv arXiv 2025
-
[45]
First malicious mcp server found stealing emails in rogue postmark-mcp package
Ravie Lakshmanan. First malicious mcp server found stealing emails in rogue postmark-mcp package. https://thehackernews.com/2025/09/first- malicious-mcp-server-found.html, 2026
2025
-
[46]
The platform for reliable agents
langchain. The platform for reliable agents. https://github.com/langchain-ai/langchain, 2023
2023
-
[47]
We urgently need privilege management in mcp: A measurement of api usage in mcp ecosystems
Zhihao Li, Kun Li, Boyang Ma, Minghui Xu, Yue Zhang, and Xiuzhen Cheng. We urgently need privilege management in mcp: A measurement of api usage in mcp ecosystems. InProceedings of the 22nd International Conference on Mobile Ad-Hoc and Smart Systems, pages 555–560, 2025
2025
-
[48]
Getting started with model context protocol part 2: Prompts and resources
Daniel Liden. Getting started with model context protocol part 2: Prompts and resources. https://www.danliden.com/posts/20250921-mcp-prompts- resources.html, 2025
arXiv 2025
-
[49]
From large to mammoth: A comparative evaluation of large language models in vulnerability detection
Jie Lin and David Mohaisen. From large to mammoth: A comparative evaluation of large language models in vulnerability detection. InProceedings of the 32th Network and Distributed System Security Symposium, 2025
2025
-
[50]
MCP.so. Mcp.so. https://mcp.so/, 2025
2025
-
[51]
Model context protocol servers
modelcontextprotocol. Model context protocol servers. https://github.com/modelcontextprotocol/servers, 2025
2025
-
[52]
Vineeth Sai Narajala and Idan Habler. Enterprise-grade security for the model context protocol (mcp): Frameworks and mitigation strategies.arXiv preprint arXiv:2504.08623, 2025
Pith/arXiv arXiv 2025
-
[53]
Securing genai multi-agent systems against tool squatting: A zero trust registry-based approach
Vineeth Sai Narajala, Ken Huang, and Idan Habler. Securing genai multi-agent systems against tool squatting: A zero trust registry-based approach. arXiv preprint arXiv:2504.19951, 2025
Pith/arXiv arXiv 2025
-
[54]
Backstabber’s knife collection: A review of open source software supply chain attacks
Marc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier. Backstabber’s knife collection: A review of open source software supply chain attacks. InProceedings of the 17th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 23–43, 2020
2020
-
[55]
Function calling
OpenAI. Function calling. https://platform.openai.com/docs/guides/function-calling, 2025
2025
-
[56]
Introducing gpt-5
OpenAI. Introducing gpt-5. https://openai.com/index/introducing-gpt-5/, 2025
2025
-
[57]
A distributed vulnerability database for open source
OSV. A distributed vulnerability database for open source. https://osv.dev/, 2026
2026
-
[58]
Mcp server directory
pulse. Mcp server directory. https://www.pulsemcp.com/servers, 2025
2025
-
[59]
Toolllm: Facilitating large language models to master 16000+ real-world apis
Yujia Qin, Shihao Liang, Yining Ye, Kunlun Zhu, Lan Yan, Yaxi Lu, Yankai Lin, Xin Cong, Xiangru Tang, Bill Qian, et al. Toolllm: Facilitating large language models to master 16000+ real-world apis. InProceedings of the 12th International Conference on Learning Representations, 2024
2024
-
[60]
Brandon Radosevich and John Halloran. Mcp safety audit: Llms with the model context protocol allow major security exploits.arXiv preprint arXiv:2504.03767, 2025
Pith/arXiv arXiv 2025
-
[61]
A survey on model context protocol: Architecture, state-of-the-art, challenges and future directions.Authorea Preprints, 2025
Partha Pratim Ray. A survey on model context protocol: Architecture, state-of-the-art, challenges and future directions.Authorea Preprints, 2025
2025
-
[62]
Benefits of using mcp over traditional integration methods
Drishti Shah. Benefits of using mcp over traditional integration methods. https://portkey.ai/blog/benefits-of-mcp-over-traditional-integration/, 2025
2025
-
[63]
Promptarmor: Simple yet effective prompt injection defenses.arXiv preprint arXiv:2507.15219, 2025
Tianneng Shi, Kaijie Zhu, Zhun Wang, Yuqi Jia, Will Cai, Weida Liang, Haonan Wang, Hend Alzahrani, Joshua Lu, Kenji Kawaguchi, et al. Promptarmor: Simple yet effective prompt injection defenses.arXiv preprint arXiv:2507.15219, 2025
Pith/arXiv arXiv 2025
-
[64]
Smithery - turn scattered context into skills for ai
Smithery. Smithery - turn scattered context into skills for ai. https://smithery.ai/servers, 2025
2025
-
[65]
Hao Song, Yiming Shen, Wenxuan Luo, Leixin Guo, Ting Chen, Jiashui Wang, Beibei Li, Xiaosong Zhang, and Jiachi Chen. Beyond the protocol: Unveiling attack vectors in the model context protocol ecosystem.arXiv preprint arXiv:2506.02040, 2025
Pith/arXiv arXiv 2025
-
[66]
Ai-infra-guard
Tencent. Ai-infra-guard. https://github.com/Tencent/AI-Infra-Guard, 2025
2025
-
[67]
Bin Wang, Zexin Liu, Hao Yu, Ao Yang, Yenan Huang, Jing Guo, Huangsheng Cheng, Hui Li, and Huiyu Wu. Mcpguard: Automatically detecting vulnerabilities in mcp servers.arXiv preprint arXiv:2510.23673, 2025. Manuscript submitted to ACM From Component Manipulation to System Compromise: Understanding and Detecting Malicious MCP Servers 29
arXiv 2025
-
[68]
Self-instruct: Aligning language models with self-generated instructions
Yizhong Wang, Yeganeh Kordi, Swaroop Mishra, Alisa Liu, Noah A Smith, Daniel Khashabi, and Hannaneh Hajishirzi. Self-instruct: Aligning language models with self-generated instructions. InProceedings of the 61st annual meeting of the association for computational linguistics, pages 13484–13508, 2023
2023
-
[69]
Zihan Wang, Rui Zhang, Yu Liu, Wenshu Fan, Wenbo Jiang, Qingchuan Zhao, Hongwei Li, and Guowen Xu. Mpma: Preference manipulation attack against model context protocol.arXiv preprint arXiv:2505.11154, 2025
arXiv 2025
-
[70]
Wenpeng Xing, Zhonghao Qi, Yupeng Qin, Yilin Li, Caini Chang, Jiahui Yu, Changting Lin, Zhenzhen Xie, and Meng Han. Mcp-guard: A defense framework for model context protocol integrity in large language model applications.arXiv preprint arXiv:2508.10991, 2025
arXiv 2025
-
[71]
A survey of ai agent protocols.arXiv preprint arXiv:2504.16736, 2025
Yingxuan Yang, Huacan Chai, Yuanyi Song, Siyuan Qi, Muning Wen, Ning Li, Junwei Liao, Haoyi Hu, Jianghao Lin, Gaowei Chang, et al. A survey of ai agent protocols.arXiv preprint arXiv:2504.16736, 2025
Pith/arXiv arXiv 2025
-
[72]
Mcpsecbench: A systematic security benchmark and playground for testing model context protocols
Yixuan Yang, Daoyuan Wu, and Yufan Chen. Mcpsecbench: A systematic security benchmark and playground for testing model context protocols. arXiv preprint arXiv:2508.13220, 2025
arXiv 2025
-
[73]
yiheng. Connor. https://github.com/yiheng98/Connor, 2026
2026
-
[74]
Williams
Nusrat Zahan, Philipp Burckhardt, Mikola Lysenko, Feross Aboukhadijeh, and Laurie A. Williams. Leveraging large language models to detect npm malicious packages. InProceedings of the 47th International Conference on Software Engineering, 2025
2025
-
[75]
Junan Zhang, Kaifeng Huang, Yiheng Huang, Bihuan Chen, Ruisi Wang, Chong Wang, and Xin Peng. Killing two birds with one stone: Malicious package detection in npm and pypi using a single model of malicious behavior sequence.ACM Transactions on Software Engineering and Methodology, 2024
2024
-
[76]
Shuli Zhao, Qinsheng Hou, Zihan Zhan, Yanhao Wang, Yuchong Xie, Yu Guo, Libo Chen, Shenghong Li, and Zhi Xue. Mind your server: A systematic study of parasitic toolchain attacks on the mcp ecosystem.arXiv preprint arXiv:2509.06572, 2025
Pith/arXiv arXiv 2025
-
[77]
When mcp servers attack: Taxonomy, feasibility, and mitigation.arXiv preprint arXiv:2509.24272, 2025
Weibo Zhao, Jiahao Liu, Bonan Ruan, Shaofei Li, and Zhenkai Liang. When mcp servers attack: Taxonomy, feasibility, and mitigation.arXiv preprint arXiv:2509.24272, 2025
arXiv 2025
-
[78]
–” in the “ID
Xinyi Zheng, Chen Wei, Shenao Wang, Yanjie Zhao, Peiming Gao, Yuanchao Zhang, Kailong Wang, and Haoyu Wang. Towards robust detection of open source software supply chain poisoning attacks in industry environments. InProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering, pages 1990–2001, 2024. Manuscript submitted to A...
1990
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.