pith. machine review for the scientific record. sign in

arxiv: 2604.07551 · v1 · submitted 2026-04-08 · 💻 cs.CR · cs.AI

Recognition: no theorem link

MCP-DPT: A Defense-Placement Taxonomy and Coverage Analysis for Model Context Protocol Security

Mehrdad Rostamzadeh , Sidhant Narula , Nahom Birhan , Mohammad Ghasemigol , Daniel Takabi
Authors on Pith no claims yet

Pith reviewed 2026-05-10 17:06 UTC · model grok-4.3

classification 💻 cs.CR cs.AI
keywords Model Context ProtocolMCP securitydefense taxonomyLLM tool callingarchitectural securitydefense placementsupply chainagent security
0
0 comments X

The pith

MCP security weaknesses often stem from defense placement across its six architectural layers rather than isolated code flaws.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper builds a taxonomy that sorts MCP attacks and defenses according to which of six layers holds enforcement responsibility. It maps threats and current protections to reveal heavy concentration at the tool layer alongside gaps in host orchestration, transport, and supply-chain areas. Readers care because MCP lets language models discover and call third-party tools dynamically, creating distributed attack surfaces across independent operators that prompt-only LLM security does not cover. The analysis concludes that many problems trace to how the protocol assigns security duties rather than to any single faulty implementation. If the mapping holds, efforts to secure MCP agents should focus on aligning mitigations with layer boundaries instead of adding more tool-specific patches.

Core claim

We present a defense-placement-oriented security analysis of MCP, introducing a layer-aligned taxonomy that organizes attacks by the architectural component responsible for enforcement. Threats are mapped across six MCP layers, and primary and secondary defense points are identified to support principled defense-in-depth reasoning under adversaries controlling tools, servers, or ecosystem components. A structured mapping of existing academic and industry defenses onto this framework reveals uneven and predominantly tool-centric protection, with persistent gaps at the host orchestration, transport, and supply-chain layers. These findings suggest that many MCP security weaknesses stem from the

What carries the argument

The MCP-DPT layer-aligned taxonomy, which assigns each attack and defense to one of six MCP architectural layers according to which component enforces the protection.

If this is right

  • Defense-in-depth for MCP requires primary and secondary protection points identified at multiple layers rather than one.
  • Current academic and industry defenses leave persistent gaps at host orchestration, transport, and supply-chain layers.
  • Adversaries who control tools, servers, or other ecosystem parts can exploit the uneven coverage.
  • Security improvements should prioritize realigning mitigations with the protocol's distributed trust boundaries.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Framework designers could apply the taxonomy as an audit checklist before releasing new MCP-based agent systems.
  • The same layer-mapping approach might reveal similar placement problems in other dynamic tool-calling protocols for AI agents.
  • The identified supply-chain gaps point to a need for verifiable third-party component registries that the current protocol does not provide.

Load-bearing premise

The division of MCP into six layers correctly captures where security enforcement responsibility actually lies and the collected academic and industry defenses represent a complete view of existing practice.

What would settle it

A demonstration that a complete set of effective defenses can be placed only at the tool layer while still blocking all major MCP attacks, or the discovery of strong native defenses already operating at the supply-chain and transport layers, would undermine the misalignment claim.

Figures

Figures reproduced from arXiv: 2604.07551 by Daniel Takabi, Mehrdad Rostamzadeh, Mohammad Ghasemigol, Nahom Birhan, Sidhant Narula.

Figure 1
Figure 1. Figure 1: Primary and secondary defense layers for a rug pull attack. [PITH_FULL_IMAGE:figures/full_fig_p006_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Defense placement taxonomy of attacks. 3.1 Architectural Layers as Security Boundaries The taxonomy is grounded in the MCP architecture and its real operational trust boundaries. We define six layers, each corresponding to a distinct ownership domain and control surface. 3.1.1 Model Provider / LLM Alignment. This layer encompasses the language model itself and the mechanisms that govern its behavior, inclu… view at source ↗
read the original abstract

The Model Context Protocol (MCP) enables large language models (LLMs) to dynamically discover and invoke third-party tools, significantly expanding agent capabilities while introducing a distinct security landscape. Unlike prompt-only interactions, MCP exposes pre-execution artifacts, shared context, multi-turn workflows, and third-party supply chains to adversarial influence across independently operated components. While recent work has identified MCP-specific attacks and evaluated defenses, existing studies are largely attack-centric or benchmark-driven, providing limited guidance on where mitigation responsibility should reside within the MCP architecture. This is problematic given MCP's multi-party design and distributed trust boundaries. We present a defense-placement-oriented security analysis of MCP, introducing a layer-aligned taxonomy that organizes attacks by the architectural component responsible for enforcement. Threats are mapped across six MCP layers, and primary and secondary defense points are identified to support principled defense-in-depth reasoning under adversaries controlling tools, servers, or ecosystem components. A structured mapping of existing academic and industry defenses onto this framework reveals uneven and predominantly tool-centric protection, with persistent gaps at the host orchestration, transport, and supply-chain layers. These findings suggest that many MCP security weaknesses stem from architectural misalignment rather than isolated implementation flaws.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper introduces MCP-DPT, a six-layer defense-placement taxonomy for Model Context Protocol (MCP) security. It maps MCP-specific threats and existing academic/industry defenses onto these layers (with primary and secondary defense points), identifies uneven and predominantly tool-centric coverage with gaps at host orchestration, transport, and supply-chain layers, and concludes that many MCP security weaknesses arise from architectural misalignment in the multi-party design rather than isolated implementation flaws.

Significance. If the taxonomy faithfully reflects MCP responsibility boundaries and the defense survey is representative, the work supplies a structured, defense-in-depth lens for a nascent multi-component LLM tool protocol. It usefully shifts emphasis from attack enumeration to placement of mitigations across independently operated components, which could inform future protocol revisions and deployment guidelines. The descriptive mapping approach avoids circularity and provides a reusable framework.

major comments (2)
  1. [§3] §3 (Taxonomy definition): The six-layer division is load-bearing for the misalignment claim, yet the manuscript offers only high-level alignment with the MCP architecture without a detailed, side-by-side mapping to the official MCP specification sections that define component responsibilities; this leaves open whether the observed gaps are intrinsic or taxonomy-induced.
  2. [§5] §5 (Defense mapping and coverage analysis): The central finding of 'persistent gaps' and 'architectural misalignment' depends on the surveyed defenses constituting a sufficiently complete sample; the paper does not specify search methodology, inclusion/exclusion criteria, time bounds, or sources (academic venues vs. industry reports), so the uneven coverage could reflect enumeration limits rather than systemic misalignment.
minor comments (2)
  1. [Abstract] Abstract: The claim of 'uneven and predominantly tool-centric protection' would be strengthened by including even a brief quantitative summary (e.g., number of defenses mapped per layer or percentage tool-centric).
  2. [§4] Notation: The distinction between 'primary' and 'secondary' defense points is introduced but not consistently applied in the layer-by-layer discussion; a small table summarizing this for each layer would improve clarity.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed review. The comments highlight opportunities to strengthen the methodological transparency and architectural grounding of MCP-DPT. We address each major comment below and will incorporate revisions to improve clarity and rigor while preserving the core contributions.

read point-by-point responses

  1. Referee: [§3] §3 (Taxonomy definition): The six-layer division is load-bearing for the misalignment claim, yet the manuscript offers only high-level alignment with the MCP architecture without a detailed, side-by-side mapping to the official MCP specification sections that define component responsibilities; this leaves open whether the observed gaps are intrinsic or taxonomy-induced.

    Authors: We agree that an explicit side-by-side mapping would better substantiate the taxonomy and the misalignment claim. The six layers are derived from the primary responsibility boundaries in the MCP specification (host orchestration, transport, tool invocation, context sharing, server-side execution, and supply-chain elements). In the revision we will add a dedicated table in §3 that aligns each layer with the corresponding sections and component definitions from the official MCP specification. This will clarify that the identified gaps reflect the distributed, multi-party nature of MCP rather than an artifact of the taxonomy boundaries. revision: yes

  2. Referee: [§5] §5 (Defense mapping and coverage analysis): The central finding of 'persistent gaps' and 'architectural misalignment' depends on the surveyed defenses constituting a sufficiently complete sample; the paper does not specify search methodology, inclusion/exclusion criteria, time bounds, or sources (academic venues vs. industry reports), so the uneven coverage could reflect enumeration limits rather than systemic misalignment.

    Authors: We acknowledge that explicit documentation of the survey process is necessary to support the coverage analysis. In the revised manuscript we will insert a new subsection (or appendix) in §5 that details the search methodology: academic sources (arXiv, ACM, IEEE, USENIX), industry reports (major LLM vendors and protocol maintainers), search terms, inclusion criteria (defenses applicable to LLM tool protocols or MCP-like architectures), exclusion criteria (purely prompt-level or non-tool defenses), and time bounds (post-MCP announcement through submission). This addition will allow readers to evaluate the representativeness of the sample while preserving the finding that current defenses remain predominantly tool-centric. revision: yes

Circularity Check

0 steps flagged

No significant circularity: descriptive taxonomy and mapping with independent interpretive conclusion

full rationale

The paper introduces a six-layer taxonomy, maps attacks and defenses onto it, and interprets coverage gaps as evidence of architectural misalignment. This chain is self-contained: the taxonomy organizes existing elements by responsibility (as stated in the abstract), the mapping is an enumeration exercise, and the misalignment suggestion is an interpretive inference rather than a derived quantity equivalent to the inputs by construction. No equations, fitted parameters, predictions, or load-bearing self-citations appear. The central claim does not reduce to self-definition or renaming; it rests on the completeness of the external defense survey, which is an external benchmark rather than an internal loop.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central claim depends on the validity of the proposed six-layer architectural model and the assumption that existing defenses have been exhaustively identified and correctly placed within the taxonomy.

axioms (1)
  • domain assumption MCP can be partitioned into six layers with distinct enforcement responsibilities.
    The taxonomy is constructed by aligning attacks and defenses to these layers.
invented entities (1)
  • MCP-DPT defense-placement taxonomy no independent evidence
    purpose: To organize attacks by the architectural component responsible for enforcement and to identify primary and secondary defense points.
    New classification framework introduced by the authors.

pith-pipeline@v0.9.0 · 5524 in / 1142 out tokens · 38680 ms · 2026-05-10T17:06:30.015501+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

70 extracted references · 48 canonical work pages · 9 internal anchors

  1. [1]

    2025.AIM-Guard-MCP: AI-Powered Security Guard for Model Context Protocol

    AIM Intelligence. 2025.AIM-Guard-MCP: AI-Powered Security Guard for Model Context Protocol. https://github.com/AIM-Intelligence/AIM-MCP MCP security middleware providing prompt injection detection, credential scanning, URL validation, and contextual AI safety guards

    2025

  2. [2]

    Security Threat Modeling for Emerging AI-Agent Protocols: A Comparative Analysis of MCP, A2A, Agora, and ANP

    Z. Anbiaee, M. Rabbani, M. Mirani, G. Piya, I. Opushnyev, A. Ghorbani, and S. Dadkhah. 2026. Security Threat Modeling for Emerging AI-Agent Protocols: A Comparative Analysis of MCP, A2A, Agora, and ANP. arXiv:2602.11327 doi:10.48550/arXiv.2602.11327

    work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2602.11327 2026

  3. [3]

    Anthropic. 2024. Introducing the Model Context Protocol. https://www.anthropic.com/news/model-context-protocol. Accessed: 2026-01-27

    2024

  4. [4]

    J. R. Asl, S. Narula, M. Ghasemigol, E. Blanco, and D. Takabi. 2025. NEXUS: Network Exploration for eXploiting Unsafe Sequences in Multi-Turn LLM Jailbreaks. InProceedings of the 2025 Conference on Empirical Methods in Natural Language Processing (EMNLP). 24278–24306

    2025

  5. [5]

    AgentBound: Securing Execution Boundaries of AI Agents

    C. Bühler, M. Biagiola, L. Di Grazia, and G. Salvaneschi. 2025. Securing AI Agent Execution. arXiv:2510.21236 [cs.AI] doi:10.48550/arXiv.2510.21236

    work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2510.21236 2025

  6. [6]

    Cisco AI Defense. 2025. MCP Scanner: Security Analysis for Model Context Protocol Artifacts. https://github.com/cisco-ai-defense/mcp-scanner. Accessed: 2025

    2025

  7. [7]

    eqtylab. 2025. MCP Guardian: Enterprise Access Control and Governance for Model Context Protocol. https://github.com/eqtylab/mcp-guardian. Accessed: 2025

    2025

  8. [8]

    Herman Errico, Jiquan Ngiam, and Shanita Sojan. 2025. Securing the Model Context Protocol (MCP): Risks, Controls, and Governance. arXiv:2511.20920 [cs.CR] doi:10.48550/arXiv.2511.20920

    work page doi:10.48550/arxiv.2511.20920 2025

  9. [9]

    Eslami and J

    A. Eslami and J. Yu. 2025. Security Risks of Agentic Vehicles: A Systematic Analysis of Cognitive and Cross-Layer Threats. arXiv:2512.17041 doi:10.48550/arXiv.2512.17041

    work page doi:10.48550/arxiv.2512.17041 2025

  10. [10]

    Junfeng Fang, Zijun Yao, Ruipeng Wang, Haokai Ma, Xiang Wang, and Tat-Seng Chua. 2025. We Should Identify and Mitigate Third-Party Safety Risks in MCP-Powered Agent Systems. arXiv:2506.13666 [cs.LG] doi:10.48550/arXiv.2506.13666 MCP-DPT: A Defense-Placement Taxonomy and Coverage Analysis for Model Context Protocol Security 23

    work page doi:10.48550/arxiv.2506.13666 2025

  11. [11]

    Systematization of knowledge: Security and safety in the model context protocol ecosystem,

    S. Gaire, S. Gyawali, S. Mishra, S. Niroula, D. Thakur, and U. Yadav. 2025. Systematization of Knowledge: Security and Safety in the Model Context Protocol Ecosystem. arXiv:2512.08290 doi:10.48550/arXiv.2512.08290

    work page doi:10.48550/arxiv.2512.08290 2025

  12. [12]

    Tarek Gasmi, Rania Guesmi, Imen Belhadj, and Joffrey Bennaceur. 2025. Bridging AI and Software Security: A Comparative Vulnerability Assessment of LLM Agent Deployment Paradigms. arXiv:2507.06323 [cs.CR] doi:10.48550/arXiv.2507.06323

    work page doi:10.48550/arxiv.2507.06323 2025

  13. [13]

    A safety and security framework for real-world agentic systems,

    S. Ghosh, B. Simkin, K. Shiarlis, S. Nandi, D. Zhao, M. Fiedler, J. Bazinska, N. Pope, R. Prabhu, D. Rohrer, and M. Demoret. 2025. A Safety and Security Framework for Real-World Agentic Systems. arXiv:2511.21990 doi:10.48550/arXiv.2511.21990

    work page doi:10.48550/arxiv.2511.21990 2025

  14. [14]

    Giurgiu and M

    I. Giurgiu and M. E. Nidd. 2025. Supporting Dynamic Agentic Workloads: How Data and Agents Interact. arXiv:2512.09548 doi:10.48550/arXiv.2512. 09548

    work page doi:10.48550/arxiv.2512 2025

  15. [15]

    Gulyamov, S

    S. Gulyamov, S. Gulyamov, A. Rodionov, R. Khursanov, K. Mekhmonov, D. Babaev, and A. Rakhimjonov. 2026. Prompt Injection Attacks in Large Language Models and AI Agent Systems: A Comprehensive Review of Vulnerabilities, Attack Vectors, and Defense Mechanisms.Information17, 1 (Jan. 2026), 54. doi:10.3390/info17010054

    work page doi:10.3390/info17010054 2026

  16. [16]

    Yongjian Guo, Puzhuo Liu, Wanlun Ma, Zehang Deng, Xiaogang Zhu, Peng Di, Xi Xiao, and Sheng Wen. 2025. Systematic Analysis of MCP Security. arXiv:2508.12538 doi:10.48550/arXiv.2508.12538

    work page doi:10.48550/arxiv.2508.12538 2025

  17. [17]

    Zhiqiang Guo, Bo Xu, Chenyu Zhu, Weijie Hong, Xinyu Wang, and Zhenjiang Mao. 2025. MCP-AgentBench: Evaluating Real-World Language Agent Performance with MCP-Mediated Tools. arXiv:2509.09734 [cs.AI] doi:10.48550/arXiv.2509.09734

    work page doi:10.48550/arxiv.2509.09734 2025

  18. [18]

    Mohammed Mehedi Hasan, Hao Li, Emad Fallahzadeh, Gopi Krishnan Rajbahadur, Bram Adams, and Ahmed E. Hassan. 2025. Model Context Protocol (MCP) at First Glance: Studying the Security and Maintainability of MCP Servers. arXiv:2506.13538 [cs.SE] doi:10.48550/arXiv.2506.13538

    work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2506.13538 2025

  19. [19]

    Pham, Hitesh Lakadawala, and Yufei Chen

    Mehrdad Hatami, Vinh T. Pham, Hitesh Lakadawala, and Yufei Chen. 2026. Securing AI Agents in Cyber-Physical Systems: A Survey of Environmental Interactions, Deepfake Threats, and Defenses. arXiv:2601.20184 doi:10.48550/arXiv.2601.20184

    work page doi:10.48550/arxiv.2601.20184 2026

  20. [20]

    Xinyi Hou, Yanjie Zhao, Shenao Wang, and Haoyu Wang. 2025. Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions. arXiv:2503.23278 [cs.CR] doi:10.48550/arXiv.2503.23278

    work page internal anchor Pith review doi:10.48550/arxiv.2503.23278 2025

  21. [21]

    Invariant Labs. 2025. MCP-Scan: Model Context Protocol Scanner. https://github.com/invariantlabs-ai/mcp-scan. Accessed: 2025

    2025

  22. [22]

    Saeid Jamshidi, Kawser Wazed Nafi, Arghavan Moradi Dakhel, Negar Shahabi, Foutse Khomh, and Naser Ezzati-Jivan. 2025. Securing the Model Context Protocol: Defending LLMs Against Tool Poisoning and Adversarial Attacks. arXiv:2512.06556 doi:10.48550/arXiv.2512.06556

    work page doi:10.48550/arxiv.2512.06556 2025

  23. [23]

    Huihao Jing, Haoran Li, Wenbin Hu, Qi Hu, Heli Xu, Tianshu Chu, Peizhao Hu, and Yangqiu Song. 2025. MCIP: Protecting MCP Safety via Model Contextual Integrity Protocol. arXiv:2505.14590 [cs.CR] doi:10.48550/arXiv.2505.14590

    work page doi:10.48550/arxiv.2505.14590 2025

  24. [24]

    M. A. Jishan, M. W. Allvi, and M. A. K. Rifat. 2024. Analyzing User Prompt Quality: Insights from Data. In2024 International Conference on Decision Aid Sciences and Applications (DASA). IEEE, 1–5

    2024

  25. [25]

    Daniel Kang, Xinyue Li, Ion Stoica, Carlos Guestrin, Matei Zaharia, and Tatsunori Hashimoto. 2024. Exploiting Programmatic Behavior of LLMs: Dual-Use Through Standard Security Attacks. In2024 IEEE Security and Privacy Workshops (SPW). IEEE, 132–143. doi:10.1109/SPW63631.2024.00028

    work page doi:10.1109/spw63631.2024.00028 2024

  26. [26]

    Lasso Security. 2025. MCP-Gateway: Secure Proxy and Orchestration Layer for Model Context Protocol. https://github.com/lasso-security/mcp- gateway. Accessed: 2025

    2025

  27. [27]

    Yang Lei, Jian Xu, Chuxuan Liang, Zhen Bi, Xiaoyu Li, Di Zhang, Jian Song, and Zhiwen Yu. 2025. A Comprehensive Survey on Model Context Protocol: Architecture, Tool Integration, and the Future of AI Interoperability.Preprint(Dec. 2025)

    2025

  28. [28]

    Enhan Li, Hongyang Du, and Kaibin Huang. 2025. NetMCP: Network-Aware Model Context Protocol Platform for LLM Capability Extension. arXiv:2510.13467 [cs.AI] doi:10.48550/arXiv.2510.13467

    work page doi:10.48550/arxiv.2510.13467 2025

  29. [29]

    Ming Li, Yifan Zhao, Bing Yu, Feifan Song, Haoxiang Li, Hao Yu, Zhen Li, Fei Huang, and Yi Li. 2023. API-Bank: A Comprehensive Benchmark for Tool-Augmented LLMs. arXiv:2304.08244 doi:10.48550/arXiv.2304.08244

    work page doi:10.48550/arxiv.2304.08244 2023

  30. [30]

    Ruiqi Li, Zhiqiang Wang, Yunhao Yao, and Xiang-Yang Li. 2025. LeechHijack: Covert Computational Resource Exploitation in Intelligent Agent Systems. arXiv:2512.02321 doi:10.48550/arXiv.2512.02321

    work page doi:10.48550/arxiv.2512.02321 2025

  31. [31]

    Ruiqi Li, Zhiqiang Wang, Yunhao Yao, and Xiang-Yang Li. 2026. MCP-ITP: An Automated Framework for Implicit Tool Poisoning in MCP. arXiv:2601.07395 [cs.CR] doi:10.48550/arXiv.2601.07395

    work page doi:10.48550/arxiv.2601.07395 2026

  32. [32]

    Amir Lotfi, Christos Katsis, and Elisa Bertino. 2025. Automated Vulnerability Validation and Verification: A Large Language Model Approach. arXiv:2509.24037 doi:10.48550/arXiv.2509.24037

    work page doi:10.48550/arxiv.2509.24037 2025

  33. [33]

    Mahmud, D

    S. Mahmud, D. B. Goldfajn, and S. Zilberstein. 2025. Distributed Multi-Agent Coordination Using Multi-Modal Foundation Models. arXiv:2501.14189 doi:10.48550/arXiv.2501.14189

    work page doi:10.48550/arxiv.2501.14189 2025

  34. [34]

    Narek Maloyan and Dmitry Namiot. 2026. Prompt Injection Attacks on Agentic Coding Assistants: A Systematic Analysis of Vulnerabilities in Skills, Tools, and Protocol Ecosystems. arXiv:2601.17548 doi:10.48550/arXiv.2601.17548

    work page doi:10.48550/arxiv.2601.17548 2026

  35. [35]

    MCP-Defender. 2025. MCP-Defender: Runtime Protection for Model Context Protocol. https://mcpdefender.com/. Accessed: 2025

    2025

  36. [36]

    MCPScan.ai. 2025. MCPScan.ai: Enterprise Model Context Protocol Security Platform. https://mcpscan.ai. Accessed: 2025

    2025

  37. [37]

    Model Context Protocol. 2025. Model Context Protocol Specification (Version 2025-11-25). https://modelcontextprotocol.io/specification/2025-11-25. Accessed: 2026-01-27

    2025

  38. [38]

    Long Ouyang, Jeffrey Wu, Xu Jiang, Diogo Almeida, Carroll Wainwright, Pamela Mishkin, Chong Zhang, Sandhini Agarwal, Katarina Slama, Alex Ray, and John Schulman. 2022. Training Language Models to Follow Instructions with Human Feedback.Advances in Neural Information Processing Systems35 (2022), 27730–27744. https://arxiv.org/abs/2203.02155 24 Rostamzadeh et al

    work page internal anchor Pith review Pith/arXiv arXiv 2022

  39. [39]

    OWASP Foundation. 2024. OWASP Top 10 for Large Language Model Applications. https://owasp.org/www-project-top-10-for-large-language- model-applications/. Accessed: 2026-01-27

    2024

  40. [40]

    2025.AIVSS: Scoring System for OW ASP Agentic AI Core Security Risks

    OWASP Foundation. 2025.AIVSS: Scoring System for OW ASP Agentic AI Core Security Risks. Technical Report. Open Worldwide Application Security Project (OWASP). https://aivss.owasp.org/assets/publications/AIVSS%20Scoring%20System%20For%20OWASP%20Agentic%20AI%20Core% 20Security%20Risks%20v0.5.pdf v0.5

    2025

  41. [41]

    Brandon Radosevich and James Halloran. 2025. MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits. arXiv:2504.03767 [cs.CR] doi:10.48550/arXiv.2504.03767

    work page doi:10.48550/arxiv.2504.03767 2025

  42. [42]

    S. R. Rayarao and N. Donikena. 2025. Bridging AI and External Systems: A Comprehensive Analysis of the Model Context Protocol (MCP). Preprint

    2025

  43. [43]

    Rise and Ignite. 2025. MCP-Shield: Security Scanner for Model Context Protocol Servers. https://github.com/riseandignite/mcp-shield. Accessed: 2025

    2025

  44. [44]

    Guangsheng Shen, Sheng Cheng, Ziming Zhang, Guanhua Tao, Kehuan Zhang, Haotian Guo, Longfei Yan, Xiaolong Jin, Shengwei An, Shiqing Ma, and Xiangyu Zhang. 2025. BAIT: Large Language Model Backdoor Scanning by Inverting Attack Target. In2025 IEEE Symposium on Security and Privacy (SP). IEEE, 1676–1694. https://ieeexplore.ieee.org/document/10503406

    work page arXiv 2025

  45. [45]

    Mohammad Lutfi Siddiq, Tanvir Hossain Romel, Nikola Sekerak, Brian Casey, and Jorge Santos. 2026. An Empirical Study on Remote Code Execution in Machine Learning Model Hosting Ecosystems. arXiv:2601.14163 [cs.CR] doi:10.48550/arXiv.2601.14163

    work page doi:10.48550/arxiv.2601.14163 2026

  46. [46]

    Haoyu Song, Yifan Shen, Wei Luo, Liang Guo, Tianyu Chen, Jianwei Wang, Bo Li, Xiang Zhang, and Jian Chen. 2025. Beyond the Protocol: Unveiling Attack Vectors in the Model Context Protocol Ecosystem. arXiv:2506.02040 [cs.CR] doi:10.48550/arXiv.2506.02040

    work page doi:10.48550/arxiv.2506.02040 2025

  47. [47]

    Stacklok. 2025. ToolHive: Simplify and Secure Model Context Protocol Servers. https://docs.stacklok.com/toolhive/. Accessed: 2025

    2025

  48. [48]

    Matthew Styer, Kiran Patlolla, Madhav Mohan, and Sebastian Diaz. 2025. Agent Tools & Interoperability with MCP. https://www.kaggle.com/ whitepaper-agent-tools-and-interoperability-with-mcp. Accessed: Nov. 13, 2025

    2025

  49. [49]

    Zhenyu Tan, Rui Hao, Jeremy Singer, Yifan Tang, and Christos Anagnostopoulos. 2026. MCP-SandboxScan: WASM-based Secure Execution and Runtime Analysis for MCP Tools. arXiv:2601.01241 doi:10.48550/arXiv.2601.01241

    work page doi:10.48550/arxiv.2601.01241 2026

  50. [50]

    Karthikeyan Thirumalaisamy, Manikarthik Konakalla, and Dinesh Kumar Devamanoharan. 2025. AI MCP Servers in Cybersecurity: Emerging Attack Vectors and Mitigation Strategies. InAI MCP Servers in Cybersecurity: Emerging Attack Vectors and Mitigation Strategies. Zenodo, Bothell, Washington, USA. doi:10.5281/zenodo.17931691

    work page doi:10.5281/zenodo.17931691 2025

  51. [51]

    H. Wang, C. Qian, M. Li, J. Qiu, B. Xue, M. Wang, H. Ji, A. Storkey, and K.-F. Wong. 2025. Position: Agent Should Invoke External Tools ONLY When Epistemically Necessary. arXiv:2506.00886 doi:10.48550/arXiv.2506.00886

    work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2506.00886 2025

  52. [52]

    Lei Wang, Chao Ma, Xinyu Feng, Zihan Zhang, Haonan Yang, Jing Zhang, Zihan Chen, Jie Tang, Xiaoyan Chen, Yuxiang Lin, and Wei-Xing Zhao

  53. [53]

    A Survey on Large Language Model Based Autonomous Agents.Frontiers of Computer Science18, 6 (2024), 186345

    2024

  54. [54]

    Zhiqiang Wang, Yichao Gao, Yanting Wang, Suyuan Liu, Haifeng Sun, Haoran Cheng, Guanquan Shi, Haohua Du, and Xiangyang Li. 2025. MCPTox: A Benchmark for Tool Poisoning Attack on Real-World MCP Servers. arXiv:2508.14925 [cs.CR] doi:10.48550/arXiv.2508.14925

    work page doi:10.48550/arxiv.2508.14925 2025

  55. [55]

    Zhiqiang Wang, Junyang Zhang, Guanquan Shi, HaoRan Cheng, Yunhao Yao, Kaiwen Guo, Haohua Du, and Xiang-Yang Li. 2025. MINDGUARD: Tracking, Detecting, and Attributing MCP Tool Poisoning Attack via Decision Dependence Graph. arXiv:2508.20412 doi:10.48550/arXiv.2508.20412

    work page doi:10.48550/arxiv.2508.20412 2025

  56. [56]

    Zihan Wang, Rui Zhang, Yu Liu, Wenshu Fan, Wenbo Jiang, Qingchuan Zhao, Hongwei Li, and Guowen Xu. 2025. MPMA: Preference Manipulation Attack against Model Context Protocol. arXiv:2505.11154 [cs.CR] doi:10.48550/arXiv.2505.11154

    work page doi:10.48550/arxiv.2505.11154 2025

  57. [57]

    Jason Wei, Nika Haghtalab, Jacob Steinhardt, and James Zou. 2023. Jailbroken: How Does LLM Safety Training Fail? arXiv:2307.02483 doi:10.48550/ arXiv.2307.02483

    work page internal anchor Pith review arXiv 2023

  58. [58]

    Zijian Wu, Xiangyan Liu, Xinyuan Zhang, Lingjun Chen, Fanqing Meng, Lingxiao Du, Yiran Zhao, et al . 2025. MCPMark: A Benchmark for Stress-Testing Realistic and Comprehensive MCP Use. arXiv:2509.24002 [cs.AI] doi:10.48550/arXiv.2509.24002

    work page doi:10.48550/arxiv.2509.24002 2025

  59. [59]

    Wenpeng Xing, Zhonghao Qi, Yupeng Qin, Yilin Li, Caini Chang, Jiahui Yu, Changting Lin, Zhenzhen Xie, and Meng Han. 2025. MCP-Guard: A Multi- Stage Defense-in-Depth Framework for Securing Model Context Protocol in Agentic AI. arXiv:2508.10991 [cs.CR] doi:10.48550/arXiv.2508.10991

    work page doi:10.48550/arxiv.2508.10991 2025

  60. [60]

    L. Yan, J. Mei, T. Zhou, L. Huang, J. Zhang, D. Liu, and J. Shao. 2025. TradeTrap: Are LLM-based Trading Agents Truly Reliable and Faithful? arXiv:2512.02261 [cs.AI] doi:10.48550/arXiv.2512.02261

    work page doi:10.48550/arxiv.2512.02261 2025

  61. [61]

    Kai Yang, Guanhua Tao, Xinyun Chen, and Jian Xu. 2025. Alleviating the Fear of Losing Alignment in LLM Fine-tuning. In2025 IEEE Symposium on Security and Privacy (SP). IEEE, 2152–2170. https://ieeexplore.ieee.org/document/10503431

    work page arXiv 2025

  62. [62]

    W. Yang, X. Bi, Y. Lin, S. Chen, J. Zhou, and X. Sun. 2024. Watch Out for Your Agents! Investigating Backdoor Threats to LLM-Based Agents. Advances in Neural Information Processing Systems37 (2024), 100938–100964

    2024

  63. [63]

    Yixuan Yang, Daoyuan Wu, and Yufan Chen. 2025. MCPSecBench: A Systematic Security Benchmark and Playground for Testing Model Context Protocols. arXiv:2508.13220 [cs.CR] doi:10.48550/arXiv.2508.13220

    work page doi:10.48550/arxiv.2508.13220 2025

  64. [64]

    ReAct: Synergizing Reasoning and Acting in Language Models

    S. Yao et al. 2023. ReAct: Synergizing Reasoning and Acting in Language Models. arXiv:2210.03629 doi:10.48550/arXiv.2210.03629

    work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2210.03629 2023

  65. [65]

    C. Yu, Z. Cheng, H. Cui, Y. Gao, Z. Luo, Y. Wang, H. Zheng, and Y. Zhao. 2025. A Survey on Agent Workflow—Status and Future. In2025 8th International Conference on Artificial Intelligence and Big Data (ICAIBD). IEEE, 770–781

    2025

  66. [66]

    Dongsen Zhang, Zekun Li, Xu Luo, Xuannan Liu, Peipei Li, and Wenjun Xu. 2025. MCP Security Bench (MSB): Benchmarking Attacks Against Model Context Protocol in LLM Agents. arXiv:2510.15994 [cs.CR] doi:10.48550/arXiv.2510.15994

    work page doi:10.48550/arxiv.2510.15994 2025

  67. [67]

    Sheng Zhao, Qiming Hou, Zhe Zhan, Yu Wang, Yiming Xie, Yuxin Guo, Lei Chen, Shuai Li, and Zhi Xue. 2025. Mind Your Server: A Systematic Study of Parasitic Toolchain Attacks on the MCP Ecosystem. arXiv:2509.06572 doi:10.48550/arXiv.2509.06572 MCP-DPT: A Defense-Placement Taxonomy and Coverage Analysis for Model Context Protocol Security 25

    work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2509.06572 2025

  68. [68]

    Weibo Zhao, Jiahao Liu, Bonan Ruan, Shaofei Li, and Zhenkai Liang. 2025. When MCP Servers Attack: Taxonomy, Feasibility, and Mitigation. arXiv:2509.24272 [cs.CR] doi:10.48550/arXiv.2509.24272

    work page doi:10.48550/arxiv.2509.24272 2025

  69. [69]

    P. Zhu, Z. Zhou, Y. Zhang, S. Yan, K. Wang, and S. Su. 2025. DemonAgent: Dynamically Encrypted Multi-Backdoor Implantation Attack on LLM-Based Agent. arXiv:2502.12575 doi:10.48550/arXiv.2502.12575

    work page doi:10.48550/arxiv.2502.12575 2025

  70. [70]

    Xuanjun Zong, Zhiqi Shen, Lei Wang, Yunshi Lan, and Chao Yang. 2025. MCP-SafetyBench: A Benchmark for Safety Evaluation of Large Language Models with Real-World MCP Servers. arXiv:2512.15163 [cs.CL] doi:10.48550/arXiv.2512.15163

    work page doi:10.48550/arxiv.2512.15163 2025