arxiv: 2605.07836 · v1 · submitted 2026-05-08 · 💻 cs.SE

Recognition: no theorem link

Unsafe by Flow: Uncovering Bidirectional Data-Flow Risks in MCP Ecosystem

Xinyi Hou , Yanjie Zhao , Haoyu Wang

Authors on Pith no claims yet

Pith reviewed 2026-05-11 02:16 UTC · model grok-4.3

classification 💻 cs.SE

keywords Model Context Protocolstatic analysisdata flow vulnerabilitiesbidirectional taint analysisvulnerability detectionLLM securityMCP servers

0 comments

The pith

Bidirectional static analysis detects unsafe data flows in MCP servers that general tools overlook.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows that Model Context Protocol servers, which connect LLM agents to external tools, contain bidirectional unsafe data flows. These include cases where requester-controlled inputs reach sensitive operations or where internal data leaks through outputs to influence the model or host. Because MCP servers use varied registration and dispatch patterns, standard analysis tools struggle to track the full execution paths. MCP-BiFlow addresses this with protocol-specific entrypoint recovery, taint modeling, and interprocedural tracking in both directions. On a benchmark it catches most known issues, and on real code it confirms over a hundred vulnerability paths, indicating this is a common failure mode.

Core claim

MCP-BiFlow recovers MCP-specific entry points, applies protocol-aware taint semantics, and performs interprocedural analysis to trace data flows from request arguments to sensitive operations and from sensitive data to MCP outputs. This identifies 30 of 32 known vulnerability cases with 93.8 percent recall, exceeding the performance of CodeQL, Semgrep, Snyk Code, and MCPScan. In an analysis of over 15,000 real MCP server repositories the tool flags 549 candidate clusters, of which manual review confirms 118 vulnerability paths in 87 distinct servers.

What carries the argument

MCP-BiFlow, a bidirectional static analysis framework that performs MCP-aware entrypoint recovery, protocol-specific taint modeling, and interprocedural propagation analysis to track both request-to-operation and data-to-output flows.

Load-bearing premise

The manual review of the 549 candidate clusters accurately identifies true vulnerabilities without significant false positives, and the 32 benchmark cases represent the typical range of MCP risks.

What would settle it

Running MCP-BiFlow on a fresh set of MCP servers with independently verified vulnerabilities and checking whether recall stays near 93 percent or if many flagged paths prove false upon inspection.

Figures

Figures reproduced from arXiv: 2605.07836 by Haoyu Wang, Xinyi Hou, Yanjie Zhao.

**Figure 1.** Figure 1: Data flows in MCP systems. agent ecosystems [48, 49]. Alongside this growth, the mechanism of tool use has itself changed, moving from application-specific function calling and framework-level abstractions toward more reusable and interoperable interfaces, including protocolized connectors such as MCP and modular capability packages such as skills [23, 42, 44, 46]. 2.2 The Rise of Model Context Protocol M… view at source ↗

**Figure 2.** Figure 2: Running example based on CVE-2025-65513, marking request-side ( [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗

**Figure 3.** Figure 3: Overview of the MCP-BiFlow pipeline. or lower level handlers such as list_tools() and call_tool(). In the TypeScript SDK, tools may be exposed either through direct registration APIs such as tool(...) or through protocol request handlers such as setRequestHandler(CallToolRequestSchema, ...). Example in [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗

**Figure 5.** Figure 5: Core taint propagation rules in MCP-BiFlow. directly from parameter to sink. At this level, taint continuity is governed by three recurring local patterns: if a tainted value 𝑦 is assigned to 𝑥, then 𝑥 remains tainted (Rule 1); if a tainted component 𝑣 is written into a structured location such as 𝑜.𝑓 , or later read back from it, the taint is preserved across that object boundary (Rule 2); and if a respo… view at source ↗

**Figure 6.** Figure 6: Request-side propagation to command execution [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗

**Figure 7.** Figure 7: Externally sourced propagation with return-side [PITH_FULL_IMAGE:figures/full_fig_p009_7.png] view at source ↗

read the original abstract

Model Context Protocol (MCP) have quickly become the interface layer between LLM agents and external tools, yet they also introduce unsafe data flows that existing analyzers handle poorly. Vulnerabilities manifest in two directions: requester-controlled arguments may propagate to sensitive operations, while untrusted external or sensitive internal data may surface through MCP-visible outputs and subsequently influence host or model behavior. Accurate detection is complicated by the heterogeneous registration and dispatch patterns MCP servers employ, the need for MCP-specific taint semantics, and the fact that bugs often only materialize along complete tool-scoped execution paths. We present MCP-BiFlow, a bidirectional static analysis framework built around MCP-aware entrypoint recovery, protocol-specific taint modeling, and interprocedural propagation analysis. Against a benchmark of 32 confirmed MCP vulnerability cases, MCP-BiFlow identifies 30 (93.8% recall), substantially outperforming CodeQL, Semgrep, Snyk Code, and MCPScan. Across 15,452 real-world MCP server repositories, MCP-BiFlow surfaces 549 overlap-compressed candidate clusters; manual review confirms 118 vulnerability paths in 87 servers, establishing unsafe propagation as a recurring failure mode that resists detection without protocol-aware recovery of both request-side and return-side flows.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

MCP-BiFlow adds useful bidirectional taint analysis for the MCP protocol and beats standard tools on known cases, but the real-world vulnerability count hinges on an undocumented manual review.

read the letter

Look, the main point with this paper is they've come up with MCP-BiFlow to do bidirectional taint tracking for the Model Context Protocol. It recovers the entrypoints that MCP servers use for tool registration and dispatch, then tracks flows both ways: inputs from the requester into sensitive code, and data from outside or internal sensitive stuff back out through the MCP interface. They test it on 32 known vulnerability cases and catch 30, beating CodeQL, Semgrep, Snyk Code, and MCPScan. On the big scan of 15k+ repos they narrow it down to 549 clusters and manually sign off on 118 paths in 87 servers as actual problems. That's the empirical core. What works is the focus on MCP specifics that generic analyzers don't handle well, like the varied registration patterns and the need for protocol taint semantics. The interprocedural part seems to let them follow complete tool-scoped paths. The soft spot is the manual review. Without details on what exactly counted as a vulnerable path, how they decided on borderline cases, or any checks like multiple reviewers, the 118 number is a bit hard to take at face value. It could be that some of those are not as risky as labeled, or the benchmark cases don't cover everything. The abstract doesn't give implementation specifics on the taint rules either. This is worth a look for anyone doing security analysis on AI agent platforms or tool calling setups. The idea of bidirectional protocol-aware analysis is practical and the scale is decent. I'd send it to referees so they can dig into the code and the review process.

Referee Report

3 major / 2 minor

Summary. The paper introduces MCP-BiFlow, a bidirectional static analysis framework for detecting unsafe data flows in Model Context Protocol (MCP) servers. It claims 93.8% recall (30 of 32 cases) on a benchmark of confirmed MCP vulnerabilities, outperforming CodeQL, Semgrep, Snyk Code, and MCPScan. On 15,452 real-world MCP server repositories, the tool surfaces 549 overlap-compressed candidate clusters; manual review then confirms 118 vulnerability paths across 87 servers, establishing bidirectional unsafe propagation as a recurring issue.

Significance. If the empirical results hold under more rigorous validation, the work is significant for LLM-agent security: MCP is an emerging interface layer, and the paper's emphasis on both request-side and return-side flows, plus protocol-aware entrypoint recovery, addresses a gap that generic analyzers miss. The scale of the real-world scan (15k repositories) and the reported recall advantage provide concrete evidence that protocol-specific taint modeling can surface previously undetected risks.

major comments (3)

[§5] §5 (Evaluation, real-world subsection): The manual review that converts 549 clusters into 118 confirmed vulnerability paths lacks any documented decision criteria (e.g., required taint-reachability conditions, threat-model assumptions, or exclusion rules for benign flows), blinding, or inter-rater agreement statistics. Because this labeling step is the sole basis for the prevalence claim, the absence of these details makes the 87-server figure non-reproducible and vulnerable to systematic over-counting.
[§4 and §5.1] §4 (Implementation) and §5.1 (Benchmark): The paper provides no concrete description of the MCP-specific taint semantics, the accuracy of the interprocedural propagation analysis, or the precise entrypoint-recovery heuristics for heterogeneous registration/dispatch patterns. Without these internals, it is impossible to diagnose why MCP-BiFlow outperforms the four baselines or to assess whether the 93.8% recall generalizes beyond the 32 high-level benchmark cases.
[§5.1] §5.1 (Benchmark): The 32 confirmed cases are characterized only at a high level; no breakdown by vulnerability class, no discussion of how representative they are of the full MCP threat surface, and no public artifact or listing is referenced. This weakens the recall metric as a load-bearing claim.

minor comments (2)

[Abstract] Abstract and §3: The term 'overlap-compressed candidate clusters' is introduced without a definition or reference to the compression algorithm; a short paragraph or citation would clarify the reduction from raw findings to the 549 clusters.
[Abstract] Throughout: Ensure first-use definitions for all tool names (CodeQL, Semgrep, Snyk Code, MCPScan) and for 'MCP' itself; the current abstract assumes reader familiarity.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive comments that identify opportunities to strengthen the reproducibility and transparency of our evaluation. We address each major point below and indicate the revisions we will make.

read point-by-point responses

Referee: [§5] The manual review that converts 549 clusters into 118 confirmed vulnerability paths lacks any documented decision criteria (e.g., required taint-reachability conditions, threat-model assumptions, or exclusion rules for benign flows), blinding, or inter-rater agreement statistics. This makes the 87-server figure non-reproducible.

Authors: We agree that the manual review process requires more explicit documentation. In the revised manuscript we will add a dedicated paragraph in §5 describing the decision criteria: a path is confirmed only if it demonstrates bidirectional taint reachability (MCP-exposed parameter to sensitive sink or sensitive data to MCP-visible return), under the threat model of untrusted client inputs and internal sensitive operations. Benign flows (e.g., sanitized data or non-exploitable paths) are excluded by explicit rules. The review was performed by two authors with disagreement resolution by discussion; we will note that formal inter-rater statistics were not computed. These additions will improve reproducibility. revision: yes
Referee: [§4 and §5.1] The paper provides no concrete description of the MCP-specific taint semantics, the accuracy of the interprocedural propagation analysis, or the precise entrypoint-recovery heuristics for heterogeneous registration/dispatch patterns.

Authors: We acknowledge the need for greater implementation detail. We will expand §4 with concrete examples of MCP-specific taint semantics (modeling of bidirectional flows for tool arguments and return values), the interprocedural propagation algorithm, and the entrypoint-recovery heuristics (pattern matching for decorator-based registration, explicit dispatch, and common MCP server frameworks). These additions will clarify why MCP-BiFlow outperforms the baselines and support evaluation of generalization. revision: yes
Referee: [§5.1] The 32 confirmed cases are characterized only at a high level; no breakdown by vulnerability class, no discussion of how representative they are of the full MCP threat surface, and no public artifact or listing is referenced.

Authors: We will revise §5.1 to include a breakdown of the 32 cases by vulnerability class (e.g., injection, information leakage, privilege escalation) and a discussion of their representativeness based on patterns observed across the 15k-repository scan. We will also release a high-level anonymized listing of the benchmark cases as supplementary material or in a public repository, subject to any constraints from the original vulnerability reports. This will make the recall metric more transparent. revision: partial

Circularity Check

0 steps flagged

No significant circularity: empirical tool evaluation with direct counts and manual confirmation.

full rationale

The paper presents MCP-BiFlow as a static analysis framework and reports its performance via direct application: 30/32 recall on a benchmark set and 118 manually confirmed paths from 549 clusters across 15,452 repositories. No equations, fitted parameters, predictions derived from inputs, or self-citation chains appear in the abstract or described methodology. The results are empirical measurements and human-labeled outcomes rather than any derivation that reduces to its own assumptions by construction. The manual review step, while potentially subjective, is an external validation process and does not create self-referential reduction in any claimed derivation.

Axiom & Free-Parameter Ledger

0 free parameters · 3 axioms · 1 invented entities

The claims rest on domain assumptions about MCP protocol behavior and the necessity of custom taint modeling, with no independent evidence or verification supplied in the abstract.

axioms (3)

domain assumption MCP servers employ heterogeneous registration and dispatch patterns that require specific entrypoint recovery.
Abstract states this as a reason accurate detection is complicated.
domain assumption MCP-specific taint semantics are required for accurate propagation analysis.
Abstract presents this as part of the framework design.
domain assumption Bugs often only materialize along complete tool-scoped execution paths.
Abstract cites this as a detection challenge.

invented entities (1)

MCP-BiFlow no independent evidence
purpose: Bidirectional static analysis framework for MCP data flows
New tool introduced as the main contribution.

pith-pipeline@v0.9.0 · 5523 in / 1493 out tokens · 51742 ms · 2026-05-11T02:16:03.263352+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

66 extracted references · 66 canonical work pages · 9 internal anchors

[1]

Sahar Abdelnabi, Kai Greshake, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz. 2023. Not What You’ve Signed Up For: Compromising Real- World LLM-Integrated Applications with Indirect Prompt Injection. InProceedings of the 16th ACM Workshop on Artificial Intelligence and Security, AISec 2023, Copenhagen, Denmark, 30 November 2023, Maura ...

work page doi:10.1145/3605764.3623985 2023
[2]

Ant Group. 2026. MCPScan. https://github.com/antgroup/MCPScan. Accessed 2026-03-25

work page 2026
[3]

Anthropic. 2024. Developing a Computer Use Model. https://www.anthropic. com/news/developing-computer-use. Accessed 2026-03-25

work page 2024
[4]

Anthropic. 2024. Introducing the Model Context Protocol. https://www.anthropic. com/news/model-context-protocol. Accessed 2026-03-25

work page 2024
[5]

Anthropic. 2024. Model Context Protocol Documentation. https:// modelcontextprotocol.io/. Accessed: 2026-03-26

work page 2024
[6]

Anthropic. 2025. Code Execution with MCP: Building More Efficient AI Agents. https://www.anthropic.com/engineering/code-execution-with-mcp. Accessed 2026-03-25

work page 2025
[7]

Anthropic. 2026. Claude Code Overview. https://docs.anthropic.com/en/docs/ agents-and-tools/claude-code/overview. Accessed 2026-03-25

work page 2026
[8]

Baidu. 2025. MCP World: Explore a Vast Collection of MCP Servers. https: //www.mcpworld.com/. Accessed: 2026-03-26

work page 2025
[9]

Manish Bhatt, Vineeth Sai Narajala, and Idan Habler. 2025. ETDI: Mitigating Tool Squatting and Rug Pull Attacks in Model Context Protocol (MCP) by using OAuth-Enhanced Tool Definitions and Policy-Based Access Control.CoRR abs/2506.01333 (2025). arXiv:2506.01333 doi:10.48550/ARXIV.2506.01333

work page doi:10.48550/arxiv.2506.01333 2025
[10]

Ivo Brett. 2025. Simplified and Secure MCP Gateways for Enterprise AI Integra- tion.CoRRabs/2504.19997 (2025). arXiv:2504.19997 doi:10.48550/ARXIV.2504. 19997

work page doi:10.48550/arxiv.2504 2025
[11]

ByteDance. 2024. Coze plugin store. https://www.coze.com/store/plugin

work page 2024
[12]

CrewAI. 2025. CrewAI. https://github.com/crewAIInc/crewAI. Accessed: 2026- 03-26

work page 2025
[13]

Zehang Deng, Yongjian Guo, Changzhou Han, Wanlun Ma, Junwu Xiong, Sheng Wen, and Yang Xiang. 2024. AI Agents Under Threat: A Survey of Key Security Challenges and Future Pathways.CoRRabs/2406.02630 (2024). arXiv:2406.02630 doi:10.48550/ARXIV.2406.02630

work page doi:10.48550/arxiv.2406.02630 2024
[14]

Yuyou Gan, Yong Yang, Zhe Ma, Ping He, Rui Zeng, Yiming Wang, Qingming Li, Chunyi Zhou, Songze Li, Ting Wang, Yunjun Gao, Yingcai Wu, and Shouling Ji

work page
[15]

Navigating the risks: A survey of security, privacy, and ethics threats in llm-based agents.arXiv preprintarXiv:2411.09523, 2024

Navigating the Risks: A Survey of Security, Privacy, and Ethics Threats in LLM-Based Agents.CoRRabs/2411.09523 (2024). arXiv:2411.09523 doi:10.48550/ ARXIV.2411.09523

work page arXiv 2024
[16]

GitHub. 2026. CodeQL. https://codeql.github.com/. Accessed 2026-03-25

work page 2026
[17]

GitHub Security Advisory. 2025. GHSA-3q26-f695-pp76: @cyanheads/git-mcp- server Command Injection / RCE. https://github.com/advisories/GHSA-3q26- f695-pp76. CVE-2025-53107. Accessed: 2026-03-25

work page 2025
[18]

GitHub Security Advisory. 2025. GHSA-gjv4-ghm7-q58q: mcp-server-kubernetes Command Injection / RCE. https://github.com/advisories/GHSA-gjv4-ghm7- q58q. CVE-2025-53355. Accessed: 2026-03-25

work page 2025
[19]

GitHub Security Advisory. 2025. GHSA-hc55-p739-j48w: @modelcontextprotocol/server-filesystem Path Traversal / Unauthorized File Access. https://github.com/modelcontextprotocol/servers/security/ advisories/GHSA-hc55-p739-j48w. CVE-2025-53110. Accessed: 2026-03-25

work page 2025
[20]

GLips. 2025. GLips/Figma-Context-MCP. https://github.com/GLips/Figma- Context-MCP. Accessed: 2026-03-26

work page 2025
[21]

Ant Group. 2025. YASA (Yet Another Static Analyzer). https://github.com/ antgroup/YASA-Engine. Accessed: 2026-03-26

work page 2025
[22]

Mohammed Mehedi Hasan, Hao Li, Emad Fallahzadeh, Gopi Krishnan Rajbahadur, Bram Adams, and Ahmed E. Hassan. 2025. Model Context Protocol (MCP) at First Glance: Studying the Security and Maintainability of MCP Servers.CoRR abs/2506.13538 (2025). arXiv:2506.13538 doi:10.48550/ARXIV.2506.13538

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2506.13538 2025
[24]

Xinyi Hou, Yanjie Zhao, Shenao Wang, and Haoyu Wang. 2025. Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions. CoRRabs/2503.23278 (2025). arXiv:2503.23278 doi:10.48550/ARXIV.2503.23278

work page internal anchor Pith review doi:10.48550/arxiv.2503.23278 2025
[25]

Sonu Kumar, Anubhav Girdhar, Ritesh Patil, and Divyansh Tripathi. 2025. MCP Guardian: A Security-First Layer for Safeguarding MCP-Based AI System.CoRR abs/2504.12757 (2025). arXiv:2504.12757 doi:10.48550/ARXIV.2504.12757

work page doi:10.48550/arxiv.2504.12757 2025
[26]

LangChain. 2022. LangChain: Framework for developing applications powered by language models. https://github.com/langchain-ai/langchain

work page 2022
[27]

LangChain. 2024. Announcing LangGraph v0.1 & LangGraph Cloud: Running Agents at Scale, Reliably. https://blog.langchain.dev/langgraph-cloud. Accessed 2026-03-25

work page 2024
[28]

LangChain. 2024. LangChain v0.1.0. https://blog.langchain.dev/langchain-v0-1- 0/. Accessed 2026-03-25

work page 2024
[29]

Yuanchun Li, Hao Wen, Weijun Wang, Xiangyu Li, Yizhen Yuan, Guohong Liu, Jiacheng Liu, Wenxing Xu, Xiang Wang, Yi Sun, Rui Kong, Yile Wang, Hanfei Geng, Jian Luan, Xuefeng Jin, Zilong Ye, Guanjing Xiong, Fan Zhang, Xiang Li, Mengwei Xu, Zhijun Li, Peng Li, Yang Liu, Ya-Qin Zhang, and Yunxin Liu. 2024. Personal LLM Agents: Insights and Survey about the Cap...

work page doi:10.48550/arxiv.2401 2024
[30]

Tong Liu, Zizhuang Deng, Guozhu Meng, Yuekang Li, and Kai Chen. 2023. De- mystifying RCE Vulnerabilities in LLM-Integrated Apps.CoRRabs/2309.02926 (2023). arXiv:2309.02926 doi:10.48550/ARXIV.2309.02926

work page doi:10.48550/arxiv.2309.02926 2023
[31]

Manus. 2025. Manus. https://manus.im/. Accessed: 2026-03-26

work page 2025
[32]

MCP Core Maintainers. 2025. Exploring the Future of MCP Transports. https: //blog.modelcontextprotocol.io/posts/2025-12-19-mcp-transport-future/. Ac- cessed 2026-03-25

work page 2025
[33]

Microsoft. 2025. microsoft/playwright-mcp. https://github.com/microsoft/ playwright-mcp. Accessed: 2026-03-26

work page 2025
[34]

Model Context Protocol. 2025. Architecture Overview. https: //modelcontextprotocol.io/docs/learn/architecture. Accessed 2026-03-25

work page 2025
[35]

Model Context Protocol. 2025. Lifecycle. https://modelcontextprotocol.io/ specification/2025-03-26/basic/lifecycle. Accessed 2026-03-25

work page 2025
[36]

Model Context Protocol. 2025. Model Context Protocol: Introduction. https: //modelcontextprotocol.io/docs/getting-started/intro. Accessed 2026-03-25

work page 2025
[37]

Model Context Protocol. 2025. Model Context Protocol Specification. https: //modelcontextprotocol.io/specification/2025-11-25. Accessed 2026-03-25

work page 2025
[38]

Model Context Protocol. 2025. Understanding MCP Clients. https:// modelcontextprotocol.io/docs/learn/client-concepts. Accessed 2026-03-25

work page 2025
[39]

National Vulnerability Database. 2025. CVE-2025-5277: aws-mcp-server Com- mand Injection Vulnerability. https://nvd.nist.gov/vuln/detail/CVE-2025-5277. Accessed: 2026-03-25

work page 2025
[40]

National Vulnerability Database. 2025. CVE-2025-53107. https://nvd.nist.gov/ vuln/detail/CVE-2025-53107. Accessed: 2026-03-26

work page 2025
[41]

National Vulnerability Database. 2025. CVE-2025-53355. https://nvd.nist.gov/ vuln/detail/CVE-2025-53355. Accessed: 2026-03-26

work page 2025
[42]

OpenAI. 2023. ChatGPT plugins. https://openai.com/index/chatgpt-plugins/

work page 2023
[43]

OpenAI. 2025. Function Calling. https://developers.openai.com/api/docs/guides/ function-calling/. Accessed 2026-03-25

work page 2025
[44]

OpenAI. 2025. Introducing Codex. https://openai.com/index/introducing-codex/. Accessed 2026-03-25

work page 2025
[45]

OpenAI. 2026. Agent Skills — Codex. https://developers.openai.com/codex/skills/. Accessed 2026-03-25

work page 2026
[46]

OpenAI. 2026. Introducing the Codex App. https://openai.com/index/introducing- the-codex-app/. Accessed 2026-03-25

work page 2026
[47]

OpenAI. 2026. Skills. https://developers.openai.com/api/docs/guides/tools-skills/. Accessed 2026-03-25

work page 2026
[48]

OpenClaw. 2025. OpenClaw. https://github.com/cyberagiinc/OpenClaw. Ac- cessed: 2026-03-26

work page 2025
[49]

OpenClaw. 2026. Introducing OpenClaw. https://openclaw.ai/blog/introducing- openclaw. Accessed 2026-03-25

work page 2026
[50]

OpenClaw. 2026. Trust — OpenClaw. https://trust.openclaw.ai/. Accessed 2026-03-25

work page 2026
[51]

Brandon Radosevich and John Halloran. 2025. MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits.CoRRabs/2504.03767 (2025). arXiv:2504.03767 doi:10.48550/ARXIV.2504.03767

work page doi:10.48550/arxiv.2504.03767 2025
[52]

Timo Schick, Jane Dwivedi-Yu, Roberto Dessì, Roberta Raileanu, Maria Lomeli, Luke Zettlemoyer, Nicola Cancedda, and Thomas Scialom. 2023. Toolformer: Language Models Can Teach Themselves to Use Tools.CoRRabs/2302.04761 (2023). arXiv:2302.04761 doi:10.48550/ARXIV.2302.04761

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2302.04761 2023
[53]

Semgrep. 2026. Semgrep. https://github.com/semgrep/semgrep. Accessed 2026-03-25

work page 2026
[54]

Snyk. 2025. Snyk Code: Support for MCP Server Sources. https://updates.snyk. io/snyk-code-support-for-mcp-server-sources-319181/. Accessed: 2026-03-26

work page 2025
[55]

Snyk. 2026. Snyk Code. https://snyk.io/product/snyk-code/. Accessed 2026-03-25

work page 2026
[56]

Luan, Jiawen Kang, and Dusit Niyato

Yuntao Wang, Yanghe Pan, Zhou Su, Yi Deng, Quan Zhao, Linkang Du, Tom H. Luan, Jiawen Kang, and Dusit Niyato. 2025. Large Model Based Agents: State- of-the-Art, Cooperation Paradigms, Security and Privacy, and Future Trends. arXiv:2409.14457 [cs.AI] https://arxiv.org/abs/2409.14457

work page arXiv 2025
[57]

Zihan Wang, Hongwei Li, Rui Zhang, Yu Liu, Wenbo Jiang, Wenshu Fan, Qingchuan Zhao, and Guowen Xu. 2025. MPMA: Preference Manipulation Attack Against Model Context Protocol.CoRRabs/2505.11154 (2025). arXiv:2505.11154 doi:10.48550/ARXIV.2505.11154

work page doi:10.48550/arxiv.2505.11154 2025
[58]

Lilian Weng. 2023. LLM-powered Autonomous Agents.Lil’Log(June 2023). https://lilianweng.github.io/posts/2023-06-23-agent/

work page 2023
[59]

Qingyun Wu, Gagan Bansal, Jieyu Zhang, Yiran Wu, Beibin Li, Erkang Zhu, Li Jiang, Xiaoyun Zhang, and Chi Wang. 2023. AutoGen: Enabling Next-Gen LLM Applications via Multi-Agent Conversation.arXiv preprint arXiv:2308.08155 Conference’17, July 2017, Washington, DC, USA X Hou, Y Zhao, and H Wang (2023). arXiv:2308.08155 [cs.AI] https://arxiv.org/abs/2308.08155

work page internal anchor Pith review Pith/arXiv arXiv 2023
[60]

Zhiheng Xi, Wenxiang Chen, Xin Guo, Wei He, Yiwen Ding, Boyang Hong, Ming Zhang, Junzhe Wang, Senjie Jin, Enyu Zhou, Rui Zheng, Xiaoran Fan, Xiao Wang, Limao Xiong, Yuhao Zhou, Weiran Wang, Changhao Jiang, Yicheng Zou, Xiangyang Liu, Zhangyue Yin, Shihan Dou, Rongxiang Weng, Wensen Cheng, Qi Zhang, Wenjuan Qin, Yongyan Zheng, Xipeng Qiu, Xuanjing Huang, a...

work page internal anchor Pith review arXiv 2023
[61]

Wenpeng Xing, Zhonghao Qi, Yupeng Qin, Yilin Li, Caini Chang, Jiahui Yu, Changting Lin, Zhenzhen Xie, and Meng Han. 2025. MCP-Guard: A Defense Framework for Model Context Protocol Integrity in Large Language Model Applications.CoRRabs/2508.10991 (2025). arXiv:2508.10991 doi:10.48550/ARXIV. 2508.10991

work page internal anchor Pith review doi:10.48550/arxiv 2025
[62]

Yixuan Yang, Daoyuan Wu, and Yufan Chen. 2025. MCPSecBench: A Systematic Security Benchmark and Playground for Testing Model Context Protocols.CoRR abs/2508.13220 (2025). arXiv:2508.13220 doi:10.48550/ARXIV.2508.13220

work page doi:10.48550/arxiv.2508.13220 2025
[63]

Shunyu Yao, Jeffrey Zhao, Dian Yu, Nan Du, Izhak Shafran, Karthik Narasimhan, and Yuan Cao. 2022. ReAct: Synergizing Reasoning and Acting in Language Models.CoRRabs/2210.03629 (2022). arXiv:2210.03629 doi:10.48550/ARXIV.2210. 03629

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2210 2022
[64]

Miao Yu, Fanci Meng, Xinyun Zhou, Shilong Wang, Junyuan Mao, Linsey Pang, Tianlong Chen, Kun Wang, Xinfeng Li, Yongfeng Zhang, et al. 2025. A Survey on Trustworthy LLM Agents: Threats and Countermeasures.arXiv preprint arXiv:2503.09648(2025)

work page arXiv 2025
[65]

Hanrong Zhang, Jingyuan Huang, Kai Mei, Yifei Yao, Zhenting Wang, Chenlu Zhan, Hongwei Wang, and Yongfeng Zhang. 2024. Agent Security Bench (ASB): Formalizing and Benchmarking Attacks and Defenses in LLM-based Agents. CoRRabs/2410.02644 (2024). arXiv:2410.02644 doi:10.48550/ARXIV.2410.02644

work page internal anchor Pith review doi:10.48550/arxiv.2410.02644 2024
[66]

Shuli Zhao, Qinsheng Hou, Zihan Zhan, Yanhao Wang, Yuchong Xie, Yu Guo, Libo Chen, Shenghong Li, and Zhi Xue. 2025. Mind Your Server: A Systematic Study of Parasitic Toolchain Attacks on the MCP Ecosystem.CoRRabs/2509.06572 (2025). arXiv:2509.06572 doi:10.48550/ARXIV.2509.06572

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2509.06572 2025
[67]

Weibo Zhao, Jiahao Liu, Bonan Ruan, Shaofei Li, and Zhenkai Liang. 2025. When MCP Servers Attack: Taxonomy, Feasibility, and Mitigation.CoRRabs/2509.24272 (2025). arXiv:2509.24272 doi:10.48550/ARXIV.2509.24272

work page doi:10.48550/arxiv.2509.24272 2025