Pith. sign in

REVIEW 3 major objections 2 minor 78 references

Standard memorization detectors fail when LLMs train on laundered surrogates of proprietary data; SDR restores the signal by synthesizing training-like queries.

Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →

T0 review · grok-4.5

2026-07-13 14:07 UTC pith:3L2HJXP4

load-bearing objection Wrong full text in the package (MCP/Connor, 2604.01905); for the titled data-laundering paper we only have a coherent abstract, so the MIMIR/SDR claims are unverified. the 3 major comments →

arxiv 2604.01904 v3 pith:3L2HJXP4 submitted 2026-04-02 cs.CR cs.AI

Combating Data Laundering in LLM Training

classification cs.CR cs.AI
keywords data launderingunauthorized training detectionmemorization signalsSynthesis Data ReversionLLM auditingMIMIR benchmarkquery synthesis
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Rights holders usually check whether a model saw their data by querying it with the original text and looking for stronger memorization signals than on held-out references. This paper shows that tactic collapses under data laundering: an adversary trains on semantics-preserving but stylistically or structurally rewritten versions of the proprietary material, so the original no longer lights up the detector. Because the true laundering transform is unknown and the laundered corpus cannot be recovered exactly, the authors instead search for a detection-useful synthesis process. Their method, Synthesis Data Reversion (SDR), uses an auxiliary LLM under a goal-details abstraction (high-level rewrite goal plus fine-grained stylistic details) to turn originals into training-like queries that re-elicit memorization signals. On the MIMIR benchmark, against diverse laundering practices and Pythia, Llama2, and Falcon models, SDR consistently restores candidate-reference separation, giving auditors a practical layer against provenance obfuscation.

Core claim

When an LLM is trained only on laundered surrogates of proprietary data, standard query-with-originals detectors lose the memorization gap between candidates and references. Synthesis Data Reversion (SDR) can recover a useful gap without knowing the laundering transform: an auxiliary model, guided by a discrete goal plus iteratively refined details, synthesizes queries that make the target model again assign stronger detection signals to the proprietary material than to held-out text.

What carries the argument

Synthesis Data Reversion (SDR): a constrained search over natural-language transformations, cast as a high-level goal (e.g., “lyrical rewriting”) plus fine-grained details (e.g., “with vivid imagery”), that an auxiliary LLM uses to map originals into training-like queries optimized to maximize the target model’s detection signal.

Load-bearing premise

An auxiliary LLM, given only a guessed high-level rewrite goal and iteratively refined details, can produce queries close enough to the unknown training-time laundering distribution that memorization signals reappear on the target model.

What would settle it

Run SDR against a held-out laundering transform that is deliberately outside the goal-details vocabulary the method searches; if candidate-reference signal separation stays collapsed on MIMIR-style splits for the same model families, the central recovery claim fails.

Watch this falsifier — get emailed when new claim-graph text bears on it.

If this is right

  • Auditors can keep using raw proprietary originals even when they suspect the model was trained only on rewritten surrogates.
  • Data-provenance checks become laundering-aware without requiring disclosure or recovery of the exact transform.
  • Marketplace and rights-holder tooling can add an SDR-style synthesis stage before applying existing loss- or confidence-based detectors.
  • Laundering that stays within common stylistic or structural rewrite goals remains detectable; completely novel transforms would need further search extensions.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If goal-details search is cheap, adversaries may escalate to multi-hop or adversarial laundering designed to sit outside common rewrite goals, creating an arms race over the abstraction vocabulary.
  • The same synthesis idea could be inverted: a defender might generate “laundered-looking” canaries at training time so that later detection remains robust even under style transfer.
  • Success of SDR suggests memorization is partly style-invariant at the semantic level once the surface form is recovered, which has implications for how tightly style and content are bound in current LLM training.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

3 major / 2 minor

Summary. The submission is labeled as arXiv:2604.01904, “Combating Data Laundering in LLM Training.” The abstract claims that standard query-with-originals memorization detectors fail under data laundering (training on semantics-preserving stylistic/structural surrogates), and that Synthesis Data Reversion (SDR)—a goal-details search over natural-language transforms via an auxiliary LLM—restores candidate–reference detection signals on MIMIR across diverse laundering practices and Pythia/Llama2/Falcon targets. The supplied full manuscript text, however, is an entirely different work: “From Component Manipulation to System Compromise: Understanding and Detecting Malicious MCP Servers” (arXiv:2604.01905), which constructs a 114-server component-centric PoC dataset and proposes Connor, a two-stage behavioral-deviation detector for malicious MCP servers. No methods, theorems, algorithms, ablations, or result tables for SDR or data-laundering detection appear in the provided full text.

Significance. If the abstract’s claims for SDR were substantiated, the work would be a useful practical contribution to post-hoc training-data auditing under an increasingly realistic threat model (provenance obfuscation via laundering). The goal-details abstraction and iterative synthesis idea is a plausible way to make an unbounded transform space searchable. Those claims cannot be assessed from the package as delivered, because the full manuscript does not describe SDR, MIMIR experiments, or laundering-aware detection at all. The MCP/Connor manuscript that is present is a separate, potentially significant systems-security contribution, but it is not the paper under review as identified by paper_id, title, and abstract.

major comments (3)
  1. Package mismatch (title/abstract vs. full text): The review package identifies arXiv:2604.01904 (data laundering / SDR). The full manuscript is instead the MCP/Connor paper (arXiv:2604.01905). None of the abstract’s load-bearing claims—brittleness of query-with-originals under laundering, the SDR goal-details procedure, or consistent restoration of detection signals on MIMIR for Pythia/Llama2/Falcon—can be verified. This is not a presentation issue; it blocks evaluation of the stated contribution.
  2. Unverifiable central empirical claim: The abstract asserts that SDR “consistently restores detection signals” on MIMIR against diverse laundering practices and three model families. Without the corresponding methods section, baselines, ablations, metrics, or tables, this claim cannot be audited for soundness, effect sizes, or failure modes.
  3. Load-bearing synthesis-fidelity assumption (abstract only): SDR is said to search a goal-details abstraction so that synthesized queries elicit stronger target-model detection signals, while the true laundering map and laundered corpus remain undisclosed. Because the search objective is the same family of memorization signals used for detection, there is a concrete circularity risk: the procedure may discover high-likelihood stylistic rewrites rather than recover training-time exposure. The manuscript as provided contains no experiment that separates these explanations (e.g., held-out laundering transforms, non-training high-signal controls, or recovery-vs-detection ablations).
minor comments (2)
  1. The abstract alone is clear on threat model and high-level method, but notation for “goal” vs. “details,” the auxiliary LLM’s role, and the exact detection statistic (loss, confidence, etc.) are undefined without the missing body.
  2. If the intended submission is the MCP/Connor manuscript present in the full text, the package must be re-identified (title, abstract, paper_id) and resubmitted for review under that identity; the current abstract does not describe that work.

Circularity Check

0 steps flagged

No derivation circularity in the supplied full manuscript (MCP/Connor); empirical attack construction and behavioral-deviation detection do not reduce claims to their inputs by construction.

full rationale

The full manuscript provided is the MCP/Connor paper (component-centric malicious MCP servers and a two-stage behavioral deviation detector), not the data-laundering/SDR abstract labeled 2604.01904. Within that manuscript there is no first-principles derivation chain that could be circular: influence paths are enumerated from a finite signature space (Med, Stage, Sink, Carrier), PoCs are expert-instantiated under explicit technique–component compatibility constraints, ASR is measured empirically across hosts/LLMs, and Connor’s detector is defined as runtime deviation from extracted function intent rather than as a fitted redefinition of the evaluation metric. Self-citations to the authors’ prior malicious-package work supply reusable building blocks (sensitive-API lists, shell-command analysis) but are not load-bearing uniqueness theorems that force the central claims. Evaluation on the authors’ own 114 PoCs is standard for a new threat class and is supplemented by external PoCs and real-world marketplace scanning; success is not defined as recovering a quantity that was fitted into the method. No self-definitional equations, fitted-input-as-prediction, or ansatz-via-self-citation reductions appear. Score 0 is therefore appropriate for the paper that was actually supplied. (Package mismatch with the SDR abstract is a review-integrity issue, not a circularity finding about either paper’s math.)

Axiom & Free-Parameter Ledger

0 free parameters · 4 axioms · 2 invented entities

Abstract-only review. Load-bearing premises are domain assumptions about memorization signals, laundering as semantics-preserving transforms, and the tractability of goal-details search—not free parameters fitted to data or invented physical entities. No numerical free parameters are disclosed in the abstract.

axioms (4)
  • domain assumption Memorization-based detection signals (e.g., higher confidence or lower loss on training-like text vs. held-out references) remain informative when the query distribution is close enough to the training distribution, even if not identical to the original proprietary text.
    Central to both the failure mode (signals vanish on originals after laundering) and the fix (synthesized training-like queries restore signals).
  • domain assumption Data laundering consists of semantics-preserving stylistic or structural transformations that obfuscate provenance while remaining useful for training.
    Defines the threat; abstract treats this as the attacker's capability without proving coverage of all real-world obfuscation.
  • ad hoc to paper A goal-details abstraction (high-level transformation goal + fine-grained details) sufficiently constrains the unbounded space of natural-language transforms so that iterative refinement can find detection-useful surrogates without recovering the true laundering map.
    Core methodological postulate of SDR; not a standard theorem, introduced to make search tractable.
  • domain assumption The auditor has raw proprietary data, a held-out non-training reference corpus, and query access to the target LLM, but not the laundering transform or laundered corpus.
    Threat/audit model stated in the abstract; detection claims are conditional on this access model.
invented entities (2)
  • Synthesis Data Reversion (SDR) no independent evidence
    purpose: Search procedure that uses an auxiliary LLM and a goal-details abstraction to synthesize training-like queries from originals so memorization detectors regain signal under undisclosed laundering.
    Named method introduced by the paper; independent evidence would be external replications or released code/benchmarks, not available in the abstract.
  • goal-details abstraction for natural-language transformations no independent evidence
    purpose: Factorization of rewrite space into a high-level goal and fine-grained details to make synthesis search tractable.
    Structural device invented for the method; not an independently measured natural object.

pith-pipeline@v1.1.0-grok45 · 44686 in / 3142 out tokens · 29345 ms · 2026-07-13T14:07:17.451083+00:00 · methodology

0 comments
read the original abstract

Post-hoc unauthorized-training data detection for large language models (LLMs) typically assumes a query-with-originals regime: rights holders query a target LLM with raw proprietary data and assess whether the model assigns them stronger memorization-based detection signals, e.g., higher confidence or lower loss, than held-out non-training reference texts. We show that this regime becomes brittle under data laundering, where the target LLM is trained on semantics-preserving but stylistically or structurally transformed surrogates of proprietary data to obfuscate provenance. Since training-time exposure occurs in the laundered form, memorization signals may no longer appear on the originals, collapsing the candidate-reference signal separation that standard detectors rely on. We counter this threat by studying laundering-aware detection with raw proprietary data, a held-out reference corpus, and query access to the target LLM, while the laundering transformation is undisclosed. Since exact recovery of the laundered corpus is infeasible, we infer a detection-useful synthesis process via an auxiliary LLM that maps originals into training-like queries. To make this search tractable, we introduce Synthesis Data Reversion (SDR), which constrains the unbounded space of natural-language transformations through a goal-details abstraction: a high-level transformation goal, e.g., "lyrical rewriting", and fine-grained details, e.g., "with vivid imagery". SDR identifies the most likely goal and iteratively refines details so synthesized queries elicit stronger target-model detection signals. Evaluated on the MIMIR benchmark against diverse laundering practices and target LLM families (Pythia, Llama2, and Falcon), SDR consistently restores detection signals, offering a practical auditing layer against data laundering.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

78 extracted references · 16 linked inside Pith

  1. [1]

    The work-averse cyberattacker model: theory and evidence from two million attack signatures

    Luca Allodi, Fabio Massacci, and Julian Williams. The work-averse cyberattacker model: theory and evidence from two million attack signatures. Risk Analysis, 42(8):1623–1642, 2022

  2. [2]

    antgroup. Mcpscan. https://github.com/antgroup/MCPScan, 2025

  3. [3]

    Introducing the model context protocol

    anthropic. Introducing the model context protocol. https://www.anthropic.com/news/model-context-protocol, 2024

  4. [4]

    Manish Bhatt, Vineeth Sai Narajala, and Idan Habler. Etdi: Mitigating tool squatting and rug pull attacks in model context protocol (mcp) by using oauth-enhanced tool definitions and policy-based access control.arXiv preprint arXiv:2506.01333, 2025

  5. [5]

    Agentbound: Securing execution boundaries of ai agents

    Christoph Bühler, Matteo Biagiola, Luca Di Grazia, and Guido Salvaneschi. Agentbound: Securing execution boundaries of ai agents. InProceedings of the 34th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, page 24, 2026

  6. [6]

    Claude. Claude. https://claude.ai/, 2023

  7. [7]

    Connect claude code to tools via mcp

    Claude. Connect claude code to tools via mcp. https://code.claude.com/docs/en/mcp, 2025

  8. [8]

    Introducing claude 4

    Claude. Introducing claude 4. https://www.anthropic.com/news/claude-4, 2025

  9. [9]

    Introducing claude sonnet 4.5

    Claude. Introducing claude sonnet 4.5. https://www.anthropic.com/news/claude-sonnet-4-5, 2025

  10. [10]

    Cursor. Cursor. https://cursor.com, 2023

  11. [11]

    Cursor agent

    Cursor. Cursor agent. https://cursor.com/cn/docs/agent/overview#tools, 2025

  12. [12]

    Cursor directory - cursor rules & mcp servers

    Cursor. Cursor directory - cursor rules & mcp servers. https://cursor.directory/, 2025

  13. [13]

    Model context protocol (mcp) | cursor docs

    Cursor. Model context protocol (mcp) | cursor docs. https://cursor.com/docs/context/mcp, 2025

  14. [14]

    Deepseek-v3.1

    DeepSeek. Deepseek-v3.1. https://api-docs.deepseek.com/news/news250821, 2025

  15. [15]

    Abul Ehtesham, Aditi Singh, Gaurav Kumar Gupta, and Saket Kumar. A survey of agent interoperability protocols: Model context protocol (mcp), agent communication protocol (acp), agent-to-agent protocol (a2a), and agent network protocol (anp).arXiv preprint arXiv:2505.02279, 2025

  16. [16]

    We should identify and mitigate third-party safety risks in mcp-powered agent systems.arXiv preprint arXiv:2506.13666, 2025

    Junfeng Fang, Zijun Yao, Ruipeng Wang, Haokai Ma, Xiang Wang, and Tat-Seng Chua. We should identify and mitigate third-party safety risks in mcp-powered agent systems.arXiv preprint arXiv:2506.13666, 2025

  17. [17]

    Enhanced prompting framework for code summarization with large language models

    Minying Fang, Xing Yuan, Yuying Li, Haojie Li, Chunrong Fang, and Junwei Du. Enhanced prompting framework for code summarization with large language models. InProceedings of the 34th International Symposium on Software Testing and Analysis, 2025

  18. [18]

    Mcp json configuration

    FastMcp. Mcp json configuration. https://gofastmcp.com/integrations/mcp-json-configuration, 2025

  19. [19]

    Trae agent: An llm-based agent for software engineering with test-time scaling.arXiv preprint arXiv:2507.23370, 2025

    Pengfei Gao, Zhao Tian, Xiangxin Meng, Xinchen Wang, Ruida Hu, Yuanan Xiao, Yizhou Liu, Zhao Zhang, Junjie Chen, Cuiyun Gao, et al. Trae agent: An llm-based agent for software engineering with test-time scaling.arXiv preprint arXiv:2507.23370, 2025

  20. [20]

    Malguard: towards real-time, accurate, and actionable detection of malicious packages in pypi ecosystem

    Xingan Gao, Xiaobing Sun, Sicong Cao, Kaifeng Huang, Di Wu, Xiaolei Liu, Xingwei Lin, and Yang Xiang. Malguard: towards real-time, accurate, and actionable detection of malicious packages in pypi ecosystem. InProceedings of the 34th USENIX Conference on Security Symposium, 2025

  21. [21]

    Github copilot·your ai pair programmer

    GitHub. Github copilot·your ai pair programmer. https://github.com/features/copilot, 2021

  22. [22]

    Extending github copilot coding agent with the model context protocol (mcp)

    GitHub. Extending github copilot coding agent with the model context protocol (mcp). https://docs.github.com/en/enterprise-cloud@latest/copilot/ how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp?utm_source=chatgpt.com, 2025

  23. [23]

    Popular mcp servers

    Glama. Popular mcp servers. https://glama.ai/mcp/servers, 2025

  24. [24]

    Gemini 3

    Google. Gemini 3. https://aistudio.google.com/models/gemini-3, 2025

  25. [25]

    Gtfobins

    GTFOBins. Gtfobins. https://gtfobins.github.io/, 2022

  26. [26]

    A measurement study of model context protocol ecosystem.arXiv preprint arXiv:2509.25292, 2025

    Hechuan Guo, Yongle Hao, Yue Zhang, Minghui Xu, Peizhuo Lv, Jiezhi Chen, and Xiuzhen Cheng. A measurement study of model context protocol ecosystem.arXiv preprint arXiv:2509.25292, 2025

  27. [27]

    Large language model based multi-agents: A survey of progress and challenges

    Taicheng Guo, Xiuying Chen, Yaqi Wang, Ruidi Chang, Shichao Pei, Nitesh V Chawla, Olaf Wiest, and Xiangliang Zhang. Large language model based multi-agents: A survey of progress and challenges. InProceedings of the 33th International Joint Conference on Artificial Intelligence, pages 8048–8057, 2024

  28. [28]

    An empirical study of malicious code in pypi ecosystem

    Wenbo Guo, Zhengzi Xu, Chengwei Liu, Cheng Huang, Yong Fang, and Yang Liu. An empirical study of malicious code in pypi ecosystem. In Proceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering, pages 166–177, 2023

  29. [29]

    Systematic analysis of mcp security.arXiv preprint arXiv:2508.12538, 2025

    Yongjian Guo, Puzhuo Liu, Wanlun Ma, Zehang Deng, Xiaogang Zhu, Peng Di, Xi Xiao, and Sheng Wen. Systematic analysis of mcp security.arXiv preprint arXiv:2508.12538, 2025

  30. [30]

    damn-vulnerable-mcp-server

    harishsg993010. damn-vulnerable-mcp-server. https://github.com/harishsg993010/damn-vulnerable-MCP-server, 2025

  31. [31]

    Model context protocol (mcp) at first glance: Studying the security and maintainability of mcp servers.arXiv preprint arXiv:2506.13538, 2025

    Mohammed Mehedi Hasan, Hao Li, Emad Fallahzadeh, Gopi Krishnan Rajbahadur, Bram Adams, and Ahmed E Hassan. Model context protocol (mcp) at first glance: Studying the security and maintainability of mcp servers.arXiv preprint arXiv:2506.13538, 2025

  32. [32]

    Model context protocol (mcp) tool descriptions are smelly! towards improving ai agent efficiency with augmented mcp tool descriptions.arXiv preprint arXiv:2602.14878, 2026

    Mohammed Mehedi Hasan, Hao Li, Gopi Krishnan Rajbahadur, Bram Adams, and Ahmed E Hassan. Model context protocol (mcp) tool descriptions are smelly! towards improving ai agent efficiency with augmented mcp tool descriptions.arXiv preprint arXiv:2602.14878, 2026

  33. [33]

    Automatic red teaming llm-based agents with model context protocol tools.arXiv preprint arXiv:2509.21011, 2025

    Ping He, Changjiang Li, Binbin Zhao, Tianyu Du, and Shouling Ji. Automatic red teaming llm-based agents with model context protocol tools.arXiv preprint arXiv:2509.21011, 2025. Manuscript submitted to ACM 28 Huang et al

  34. [34]

    Model context protocol (mcp): Landscape, security threats, and future research directions

    Xinyi Hou, Yanjie Zhao, Shenao Wang, and Haoyu Wang. Model context protocol (mcp): Landscape, security threats, and future research directions. arXiv preprint arXiv:2503.23278, 2025

  35. [35]

    Donapi: Malicious npm packages detector using behavior sequence knowledge mapping

    Cheng Huang, Nannan Wang, Ziyan Wang, Siqi Sun, Lingzi Li, Junren Chen, Qianchong Zhao, Jiaxuan Han, Zhen Yang, and Lei Shi. Donapi: Malicious npm packages detector using behavior sequence knowledge mapping. InProceedings of the 33rd USENIX Security Symposium, 2024

  36. [36]

    Spiderscan: Practical detection of malicious npm packages based on graph-based behavior modeling and matching

    Yiheng Huang, Ruisi Wang, Wen Zheng, Zhuotong Zhou, Susheng Wu, Shulin Ke, Bihuan Chen, Shan Gao, and Xin Peng. Spiderscan: Practical detection of malicious npm packages based on graph-based behavior modeling and matching. InProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering, pages 1146–1158, 2024

  37. [37]

    Profmal: Detecting malicious npm packages by the synergy between static and dynamic analysis

    Yiheng Huang, Wen Zheng, Susheng Wu, Bihuan Chen, You Lu, Zhuotong Zhou, Yiheng Cao, Xiaoyu Li, and Xin Peng. Profmal: Detecting malicious npm packages by the synergy between static and dynamic analysis. InProceedings of the 40th IEEE/ACM International Conference on Automated Software Engineering, 2025

  38. [38]

    Mcp security notification: Tool poisoning attacks

    Invariantlabs. Mcp security notification: Tool poisoning attacks. https://invariantlabs.ai/blog/mcp-security-notification-tool-poisoning-attacks, 2025

  39. [39]

    Whatsapp mcp exploited: Exfiltrating your message history via mcp

    Invariantlabs. Whatsapp mcp exploited: Exfiltrating your message history via mcp. https://invariantlabs.ai/blog/whatsapp-mcp-exploited, 2025

  40. [40]

    mcp-scan

    invariantlabs ai. mcp-scan. https://github.com/invariantlabs-ai/mcp-scan, 2025

  41. [41]

    Mcip: Protecting mcp safety via model contextual integrity protocol

    Huihao Jing, Haoran Li, Wenbin Hu, Qi Hu, Xu Heli, Tianshu Chu, Peizhao Hu, and Yangqiu Song. Mcip: Protecting mcp safety via model contextual integrity protocol. InProceedings of the 2025 Conference on Empirical Methods in Natural Language Processing, pages 1177–1194, 2025

  42. [42]

    Joern - the bug hunter’s workbench

    Joern. Joern - the bug hunter’s workbench. https://joern.io/, 2019

  43. [43]

    3 malicious mcp servers found on pypi

    Guy Korolevski. 3 malicious mcp servers found on pypi. https://research.jfrog.com/post/3-malicious-mcps-pypi-reverse-shell/, 2026

  44. [44]

    Mcp guardian: A security-first layer for safeguarding mcp-based ai system

    Sonu Kumar, Anubhav Girdhar, Ritesh Patil, and Divyansh Tripathi. Mcp guardian: A security-first layer for safeguarding mcp-based ai system. arXiv preprint arXiv:2504.12757, 2025

  45. [45]

    First malicious mcp server found stealing emails in rogue postmark-mcp package

    Ravie Lakshmanan. First malicious mcp server found stealing emails in rogue postmark-mcp package. https://thehackernews.com/2025/09/first- malicious-mcp-server-found.html, 2026

  46. [46]

    The platform for reliable agents

    langchain. The platform for reliable agents. https://github.com/langchain-ai/langchain, 2023

  47. [47]

    We urgently need privilege management in mcp: A measurement of api usage in mcp ecosystems

    Zhihao Li, Kun Li, Boyang Ma, Minghui Xu, Yue Zhang, and Xiuzhen Cheng. We urgently need privilege management in mcp: A measurement of api usage in mcp ecosystems. InProceedings of the 22nd International Conference on Mobile Ad-Hoc and Smart Systems, pages 555–560, 2025

  48. [48]

    Getting started with model context protocol part 2: Prompts and resources

    Daniel Liden. Getting started with model context protocol part 2: Prompts and resources. https://www.danliden.com/posts/20250921-mcp-prompts- resources.html, 2025

  49. [49]

    From large to mammoth: A comparative evaluation of large language models in vulnerability detection

    Jie Lin and David Mohaisen. From large to mammoth: A comparative evaluation of large language models in vulnerability detection. InProceedings of the 32th Network and Distributed System Security Symposium, 2025

  50. [50]

    MCP.so. Mcp.so. https://mcp.so/, 2025

  51. [51]

    Model context protocol servers

    modelcontextprotocol. Model context protocol servers. https://github.com/modelcontextprotocol/servers, 2025

  52. [52]

    Enterprise-grade security for the model context protocol (mcp): Frameworks and mitigation strategies.arXiv preprint arXiv:2504.08623, 2025

    Vineeth Sai Narajala and Idan Habler. Enterprise-grade security for the model context protocol (mcp): Frameworks and mitigation strategies.arXiv preprint arXiv:2504.08623, 2025

  53. [53]

    Securing genai multi-agent systems against tool squatting: A zero trust registry-based approach

    Vineeth Sai Narajala, Ken Huang, and Idan Habler. Securing genai multi-agent systems against tool squatting: A zero trust registry-based approach. arXiv preprint arXiv:2504.19951, 2025

  54. [54]

    Backstabber’s knife collection: A review of open source software supply chain attacks

    Marc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier. Backstabber’s knife collection: A review of open source software supply chain attacks. InProceedings of the 17th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 23–43, 2020

  55. [55]

    Function calling

    OpenAI. Function calling. https://platform.openai.com/docs/guides/function-calling, 2025

  56. [56]

    Introducing gpt-5

    OpenAI. Introducing gpt-5. https://openai.com/index/introducing-gpt-5/, 2025

  57. [57]

    A distributed vulnerability database for open source

    OSV. A distributed vulnerability database for open source. https://osv.dev/, 2026

  58. [58]

    Mcp server directory

    pulse. Mcp server directory. https://www.pulsemcp.com/servers, 2025

  59. [59]

    Toolllm: Facilitating large language models to master 16000+ real-world apis

    Yujia Qin, Shihao Liang, Yining Ye, Kunlun Zhu, Lan Yan, Yaxi Lu, Yankai Lin, Xin Cong, Xiangru Tang, Bill Qian, et al. Toolllm: Facilitating large language models to master 16000+ real-world apis. InProceedings of the 12th International Conference on Learning Representations, 2024

  60. [60]

    Mcp safety audit: Llms with the model context protocol allow major security exploits.arXiv preprint arXiv:2504.03767, 2025

    Brandon Radosevich and John Halloran. Mcp safety audit: Llms with the model context protocol allow major security exploits.arXiv preprint arXiv:2504.03767, 2025

  61. [61]

    A survey on model context protocol: Architecture, state-of-the-art, challenges and future directions.Authorea Preprints, 2025

    Partha Pratim Ray. A survey on model context protocol: Architecture, state-of-the-art, challenges and future directions.Authorea Preprints, 2025

  62. [62]

    Benefits of using mcp over traditional integration methods

    Drishti Shah. Benefits of using mcp over traditional integration methods. https://portkey.ai/blog/benefits-of-mcp-over-traditional-integration/, 2025

  63. [63]

    Promptarmor: Simple yet effective prompt injection defenses.arXiv preprint arXiv:2507.15219, 2025

    Tianneng Shi, Kaijie Zhu, Zhun Wang, Yuqi Jia, Will Cai, Weida Liang, Haonan Wang, Hend Alzahrani, Joshua Lu, Kenji Kawaguchi, et al. Promptarmor: Simple yet effective prompt injection defenses.arXiv preprint arXiv:2507.15219, 2025

  64. [64]

    Smithery - turn scattered context into skills for ai

    Smithery. Smithery - turn scattered context into skills for ai. https://smithery.ai/servers, 2025

  65. [65]

    Beyond the protocol: Unveiling attack vectors in the model context protocol ecosystem.arXiv preprint arXiv:2506.02040, 2025

    Hao Song, Yiming Shen, Wenxuan Luo, Leixin Guo, Ting Chen, Jiashui Wang, Beibei Li, Xiaosong Zhang, and Jiachi Chen. Beyond the protocol: Unveiling attack vectors in the model context protocol ecosystem.arXiv preprint arXiv:2506.02040, 2025

  66. [66]

    Ai-infra-guard

    Tencent. Ai-infra-guard. https://github.com/Tencent/AI-Infra-Guard, 2025

  67. [67]

    Mcpguard: Automatically detecting vulnerabilities in mcp servers.arXiv preprint arXiv:2510.23673, 2025

    Bin Wang, Zexin Liu, Hao Yu, Ao Yang, Yenan Huang, Jing Guo, Huangsheng Cheng, Hui Li, and Huiyu Wu. Mcpguard: Automatically detecting vulnerabilities in mcp servers.arXiv preprint arXiv:2510.23673, 2025. Manuscript submitted to ACM From Component Manipulation to System Compromise: Understanding and Detecting Malicious MCP Servers 29

  68. [68]

    Self-instruct: Aligning language models with self-generated instructions

    Yizhong Wang, Yeganeh Kordi, Swaroop Mishra, Alisa Liu, Noah A Smith, Daniel Khashabi, and Hannaneh Hajishirzi. Self-instruct: Aligning language models with self-generated instructions. InProceedings of the 61st annual meeting of the association for computational linguistics, pages 13484–13508, 2023

  69. [69]

    Mpma: Preference manipulation attack against model context protocol.arXiv preprint arXiv:2505.11154, 2025

    Zihan Wang, Rui Zhang, Yu Liu, Wenshu Fan, Wenbo Jiang, Qingchuan Zhao, Hongwei Li, and Guowen Xu. Mpma: Preference manipulation attack against model context protocol.arXiv preprint arXiv:2505.11154, 2025

  70. [70]

    Mcp-guard: A defense framework for model context protocol integrity in large language model applications.arXiv preprint arXiv:2508.10991, 2025

    Wenpeng Xing, Zhonghao Qi, Yupeng Qin, Yilin Li, Caini Chang, Jiahui Yu, Changting Lin, Zhenzhen Xie, and Meng Han. Mcp-guard: A defense framework for model context protocol integrity in large language model applications.arXiv preprint arXiv:2508.10991, 2025

  71. [71]

    A survey of ai agent protocols.arXiv preprint arXiv:2504.16736, 2025

    Yingxuan Yang, Huacan Chai, Yuanyi Song, Siyuan Qi, Muning Wen, Ning Li, Junwei Liao, Haoyi Hu, Jianghao Lin, Gaowei Chang, et al. A survey of ai agent protocols.arXiv preprint arXiv:2504.16736, 2025

  72. [72]

    Mcpsecbench: A systematic security benchmark and playground for testing model context protocols

    Yixuan Yang, Daoyuan Wu, and Yufan Chen. Mcpsecbench: A systematic security benchmark and playground for testing model context protocols. arXiv preprint arXiv:2508.13220, 2025

  73. [73]

    yiheng. Connor. https://github.com/yiheng98/Connor, 2026

  74. [74]

    Williams

    Nusrat Zahan, Philipp Burckhardt, Mikola Lysenko, Feross Aboukhadijeh, and Laurie A. Williams. Leveraging large language models to detect npm malicious packages. InProceedings of the 47th International Conference on Software Engineering, 2025

  75. [75]

    Junan Zhang, Kaifeng Huang, Yiheng Huang, Bihuan Chen, Ruisi Wang, Chong Wang, and Xin Peng. Killing two birds with one stone: Malicious package detection in npm and pypi using a single model of malicious behavior sequence.ACM Transactions on Software Engineering and Methodology, 2024

  76. [76]

    Mind your server: A systematic study of parasitic toolchain attacks on the mcp ecosystem.arXiv preprint arXiv:2509.06572, 2025

    Shuli Zhao, Qinsheng Hou, Zihan Zhan, Yanhao Wang, Yuchong Xie, Yu Guo, Libo Chen, Shenghong Li, and Zhi Xue. Mind your server: A systematic study of parasitic toolchain attacks on the mcp ecosystem.arXiv preprint arXiv:2509.06572, 2025

  77. [77]

    When mcp servers attack: Taxonomy, feasibility, and mitigation.arXiv preprint arXiv:2509.24272, 2025

    Weibo Zhao, Jiahao Liu, Bonan Ruan, Shaofei Li, and Zhenkai Liang. When mcp servers attack: Taxonomy, feasibility, and mitigation.arXiv preprint arXiv:2509.24272, 2025

  78. [78]

    –” in the “ID

    Xinyi Zheng, Chen Wei, Shenao Wang, Yanjie Zhao, Peiming Gao, Yuanchao Zhang, Kailong Wang, and Haoyu Wang. Towards robust detection of open source software supply chain poisoning attacks in industry environments. InProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering, pages 1990–2001, 2024. Manuscript submitted to A...