Pith. sign in

REVIEW 4 major objections 7 minor 74 references

Reviewed by Pith at T0; open to challenge.

T0 means a machine referee read the full paper against a public rubric. The mark states how deep the mechanical check went, never who wrote it. the ladder, T0–T4 →

T0 review · glm-5.2

Security-aware text in tool descriptions cuts MCP attack

2026-07-09 10:06 UTC pith:YKKIYP2F

load-bearing objection Solid empirical study of MCP vulnerabilities; defense evaluation has a real gap between claims and evidence the 4 major comments →

arxiv 2607.07461 v1 pith:YKKIYP2F submitted 2026-07-08 cs.CR cs.SE

Mitigating Taint-Style Vulnerabilities in MCP Servers via Security-Aware Tool Descriptions

classification cs.CR cs.SE
keywords serversvulnerabilitiesspellsmithtaint-styleservertoolvulnerabilityacross
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper argues that a large class of vulnerabilities in Model Context Protocol (MCP) servers, taint-style vulnerabilities where untrusted user input propagates into sensitive operations like command execution or file access, can be mitigated not by patching server code but by rewriting the natural-language tool descriptions that the LLM reads and by adding a self-reflection step before tool invocation. The authors first show through an empirical study of 53 real MCP vulnerabilities that taint-style flaws dominate the ecosystem (81.13%), are expensive to fix in code (averaging 203.6 modified lines across 3.3 files), and remain unpatched for long periods (92.3 days on average for unpatched cases). They then propose SPELLSMITH, which identifies which tools and parameters carry taint-style risk, augments the tool's Description field with explicit security constraints in plain English, and asks the LLM to reflect on whether a planned tool call might be an exploit attempt before executing it. Evaluated on a benchmark of 792 malicious prompts targeting 45 MCP servers, SPELLSMITH reduces the attack success rate from 56.61% to 0.04% at the trial level, without modifying any server-side code.

Core claim

The central finding is that the MCP tool Description field, a plain-text metadata property that LLMs already read during tool selection and parameter generation, can serve as an effective security intervention surface. By embedding risk-specific security constraints into this field and pairing it with a pre-invocation reflection step, the LLM's own decision-making process is steered away from generating arguments that would trigger taint-style vulnerabilities. The ablation shows that both components contribute independently: security-aware descriptions alone reduce the trial-level attack success rate from 56.61% to 6.69%, and reflection alone reduces it to 2.19%; combined, they achieve 0.04%

What carries the argument

The mechanism is a two-stage pipeline operating entirely at the MCP interaction layer. In the offline stage, a Risk Identification module analyzes tool metadata to produce a conservative risk profile capturing high-risk capabilities, potentially tainted parameters, and candidate CWE categories; a Tool Metadata Augmentation module then rewrites the Description field with four elements: risk capability, tainted parameters, potential CWE risks, and invocation policy. In the online stage, a Tool Invocation Reflection module prompts the LLM to reconsider user intent, selected tool, and proposed arguments against the augmented security constraints before the call reaches the MCP server, refusingor

Load-bearing premise

The evaluation uses 792 attack prompts constructed by the authors, and the near-zero attack success rate may reflect the difficulty of that specific prompt set rather than robustness against an adversary who specifically optimizes prompts to bypass the description augmentation and reflection mechanism.

What would settle it

Construct adversarial prompts specifically designed to exploit the gap between the augmented security constraints and the LLM's interpretation of them, for example by framing malicious intent in a way that appears to comply with the stated invocation policy while still routing tainted input to a sensitive operation.

Watch this falsifier — get emailed when new claim-graph text bears on it.

If this is right

  • MCP server developers could ship security-aware descriptions as a first-line defense layer, reducing the urgency of code-level patches for taint-style vulnerabilities that take an average of 37.3 days to ship.
  • The approach could generalize to other LLM tool-use protocols beyond MCP wherever natural-language tool metadata is the primary interface between the LLM and external capabilities.
  • The reflection-based pre-invocation check pattern could be adopted as a standard safety stage in agent frameworks, analogous to how input validation works in traditional software but operating at the semantic level.
  • The risk identification module could be integrated into MCP server registries or marketplaces, automatically flagging tools whose metadata suggests taint-style risk patterns before deployment.
  • The near-zero attack success rate against the authors' benchmark may not hold against adversaries who specifically optimize prompts to bypass description-based constraints and reflection, which the paper does not evaluate.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If LLMs become more capable of following complex natural-language instructions, text-based security constraints in tool descriptions may become even more effective, creating an arms race where attackers must craft prompts that simultaneously bypass both the security constraints and the reflection step.
  • The approach creates a new attack surface: if an adversary can influence the tool Description field itself (e.g., through a compromised MCP server registry), they could embed misleading security guidance that weakens rather than strengthens the LLM's defenses.
  • The performance overhead of adding a reflection turn before every tool invocation may be significant in latency-sensitive or multi-step agent workflows, and the paper does not report latency or cost metrics.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

4 major / 7 minor

Summary. This paper studies vulnerabilities in MCP (Model Context Protocol) servers, finding that taint-style vulnerabilities (command injection, path traversal, SSRF, etc.) dominate the landscape. Based on an empirical analysis of 53 vulnerabilities across 45 MCP servers, the authors propose SPELLSMITH, which mitigates taint-style exploitation by (1) augmenting tool descriptions with security-aware constraints and (2) adding an LLM self-reflection step before tool invocation. The evaluation uses a benchmark of 792 malicious prompts grounded in real CVEs and reports a reduction in attack success rate from 56.61% to 0.04% (trial-level).

Significance. The empirical study (Section 3) is a genuine contribution: it systematically characterizes MCP server vulnerabilities using NVD and GitHub data, quantifies repair effort, and documents slow community response. The finding that 81.13% of MCP vulnerabilities are taint-style and that metadata rarely includes security guidance (only 7.00% of descriptions) is well-supported and motivates the defense. The SPELLSMITH approach of treating tool descriptions as a security policy surface is a reasonable and lightweight intervention. The benchmark of 792 prompts grounded in real CVEs is a useful artifact. However, several claims in the introduction are not backed by the experiments as presented, which significantly weakens the contribution.

major comments (4)
  1. §1, final paragraph of Introduction: The paper states 'we conduct ablation and adversarial evaluations to demonstrate the effectiveness of SPELLSMITH's individual components and its robustness against adversarial attacks.' However, Section 6 contains only RQ1 (Effectiveness) and RQ2 (Ablation Study). No adversarial evaluation—where attackers craft prompts specifically to bypass SPELLSMITH's reflection or description augmentation—is presented anywhere in the paper. This is a load-bearing claim: the near-zero ASR (0.04%) may reflect the static, non-adaptive nature of the 792 benchmark prompts rather than robustness against attacks that specifically target the defense. The 10 jailbreak strategies (§5) are adapted from prior work on general LLM jailbreaking and are not designed to evade SPELLSMITH's specific mechanisms. Either the adversarial evaluation must be added, or the claim of adversa
  2. §1, Contributions bullet 3: The paper claims the evaluation demonstrates effectiveness 'across diverse vulnerability types and LLMs.' However, §6.1 states that only GPT-4o is used as the evaluation model. No results for any other LLM are reported. Since the defense relies on LLM instruction-following and self-reflection—capabilities that vary substantially across models—this is a load-bearing gap. The claim should either be supported with multi-model experiments or revised to reflect single-model evaluation.
  3. §1, Evaluation paragraph: The paper states 'SPELLSMITH outperforms code-level mitigations by achieving comparable effectiveness while incurring substantially lower repair costs and offering greater generalizability.' However, Section 6 contains no direct experimental comparison between SPELLSMITH and any code-level mitigation. The repair cost data in Table 4 (§3.3) describes the effort of fixing vulnerabilities in the wild, but SPELLSMITH is never benchmarked head-to-head against code-level patches on the same vulnerability set. The claim of 'outperforming' code-level mitigations is unsupported by the experiments as presented.
  4. Table 6, §6.3: The ablation reveals that the reflection mechanism does the majority of the work. With None metadata, Post-reflection alone drops ASR_trial from 56.61% to 2.19%, while metadata augmentation alone (Ident., Pre-reflection) only drops it to 6.69%. The additional contribution of identified metadata on top of reflection (2.19% → 0.04%) is real but small. The paper should more explicitly acknowledge this distribution of effort and discuss whether the description augmentation component is worth its complexity, or whether the framing should center on reflection as the primary defense. This is important because the paper's novelty claim rests heavily on the metadata augmentation approach.
minor comments (7)
  1. §5: The benchmark construction methodology is underspecified. How were the 792 prompts distributed across the 53 vulnerabilities? How many prompts per vulnerability? Were all 53 vulnerabilities used, or a subset? The paper states coverage of '45 MCP servers and 130 MCP tools' but does not specify the per-vulnerability prompt count or sampling strategy.
  2. §6.1: The metric definitions reference 'cases' and 'trials' but the relationship between them is not fully specified. How many trials per case? How is attack success determined—automatically or manually? The evaluation would benefit from a description of the success-detection methodology.
  3. §4.2: The risk identification step uses LLM-based analysis (implied by 'uses the tool name, description, and input schema to answer three simple questions') but the specific prompt or procedure is not described. Since this is a core component, the prompt template or decision procedure should be included or referenced.
  4. §4.4: The reflection prompt is not provided. The paper describes what the reflection checks for but does not include the actual prompt template used. This hinders reproducibility.
  5. Table 6: The 'Wrong' column (incorrect vulnerability description) is an interesting control but its interpretation is unclear. An incorrect description still reduces ASR from 56.61% to 9.89% (Pre-reflection), suggesting that any additional text in the description may have a deterrent effect. This should be discussed.
  6. §3.1: The keyword search for NVD using 'MCP' may miss vulnerabilities in MCP servers that are not labeled with 'MCP' in their CVE entries. The authors should discuss potential coverage bias.
  7. References: Several entries use placeholder dates (e.g., [1], [2], [3] cite '2026' with 'Accessed January 6, 2026'). Verify these are correct and not artifacts.

Simulated Author's Rebuttal

4 responses · 0 unresolved

We thank the referee for the careful and constructive review. The referee correctly identifies that several claims in the introduction are not fully supported by the experiments as presented. We address each major comment below and commit to revising the manuscript accordingly.

read point-by-point responses
  1. Referee: §1, final paragraph of Introduction: The paper states 'we conduct ablation and adversarial evaluations to demonstrate the effectiveness of SPELLSMITH's individual components and its robustness against adversarial attacks.' However, Section 6 contains only RQ1 (Effectiveness) and RQ2 (Ablation Study). No adversarial evaluation—where attackers craft prompts specifically to bypass SPELLSMITH's reflection or description augmentation—is presented anywhere in the paper. This is a load-bearing claim: the near-zero ASR (0.04%) may reflect the static, non-adaptive nature of the 792 benchmark prompts rather than robustness against attacks that specifically target the defense. The 10 jailbreak strategies (§5) are adapted from prior work on general LLM jailbreaking and are not designed to evade SPELLSMITH's specific mechanisms. Either the adversarial evaluation must be added, or the claim of adversa

    Authors: The referee is correct. The introduction claims an adversarial evaluation that is not present in the paper. The 10 jailbreak strategies in Section 5 are adapted from general LLM jailbreaking taxonomies (Liu et al.) and were designed to diversify the attack surface of the benchmark, not to specifically target SPELLSMITH's reflection or description augmentation mechanisms. We agree that this is a load-bearing claim and that the near-zero ASR may partly reflect the non-adaptive nature of the benchmark prompts. We will revise the manuscript in two ways: (1) We will remove the claim of adversarial evaluation from the introduction and reframe the jailbreak strategies accurately as diversity-enhancing augmentations rather than adaptive adversarial evaluations. (2) We will add an explicit limitation paragraph in Section 8 (or a dedicated limitations subsection) acknowledging that the current evaluation does not include adaptive adversaries that specifically target SPELLSMITH's mechanisms, and that such evaluation is important future work. We believe this is the honest and correct revision given the current state of the experiments. revision: yes

  2. Referee: §1, Contributions bullet 3: The paper claims the evaluation demonstrates effectiveness 'across diverse vulnerability types and LLMs.' However, §6.1 states that only GPT-4o is used as the evaluation model. No results for any other LLM are reported. Since the defense relies on LLM instruction-following and self-reflection—capabilities that vary substantially across models—this is a load-bearing gap. The claim should either be supported with multi-model experiments or revised to reflect single-model evaluation.

    Authors: The referee is correct. Only GPT-4o is used in the evaluation; no other LLM is tested. The claim of effectiveness 'across diverse LLMs' in the contributions is unsupported by the experiments as presented. The diversity in the evaluation lies in vulnerability types (5 categories), attack objectives (5), jailbreak strategies (10), MCP servers (45), and tools (130), but not in the evaluation model. We will revise the contributions bullet to accurately reflect this scope, changing 'across diverse vulnerability types and LLMs' to 'across diverse vulnerability types and attack strategies.' We will also add a note in the experimental setup acknowledging that the single-model evaluation is a limitation, since the defense depends on instruction-following and self-reflection capabilities that vary across models, and that multi-model evaluation is a natural next step. revision: yes

  3. Referee: §1, Evaluation paragraph: The paper states 'SPELLSMITH outperforms code-level mitigations by achieving comparable effectiveness while incurring substantially lower repair costs and offering greater generalizability.' However, Section 6 contains no direct experimental comparison between SPELLSMITH and any code-level mitigation. The repair cost data in Table 4 (§3.3) describes the effort of fixing vulnerabilities in the wild, but SPELLSMITH is never benchmarked head-to-head against code-level patches on the same vulnerability set. The claim of 'outperforming' code-level mitigations is unsupported by the experiments as presented.

    Authors: The referee is correct. There is no head-to-head experimental comparison between SPELLSMITH and code-level mitigations on the same vulnerability set. The claim that SPELLSMITH 'outperforms code-level mitigations' is not supported by the experiments. What the paper does show is that (1) code-level fixes in the wild require substantial effort (Table 4: average 203.6 lines, 5.5 functions, 3.3 files), (2) 9.8% of code-level fixes remain exploitable, and (3) SPELLSMITH achieves a low ASR without code modifications. However, these are separate observations from different data sources and do not constitute a direct comparison. We will revise the introduction to remove the word 'outperforms' and instead accurately characterize the relationship: SPELLSMITH achieves strong mitigation effectiveness while avoiding the code modification costs documented in Section 3.3, and offers a complementary approach that can be deployed without server-side changes. We will also add a note that a direct head-to-head comparison with code-level patches on the same vulnerability set is left to future work. revision: yes

  4. Referee: Table 6, §6.3: The ablation reveals that the reflection mechanism does the majority of the work. With None metadata, Post-reflection alone drops ASR_trial from 56.61% to 2.19%, while metadata augmentation alone (Ident., Pre-reflection) only drops it to 6.69%. The additional contribution of identified metadata on top of reflection (2.19% → 0.04%) is real but small. The paper should more explicitly acknowledge this distribution of effort and discuss whether the description augmentation component is worth its complexity, or whether the framing should center on reflection as the primary defense. This is important because the paper's novelty claim rests heavily on the metadata augmentation approach.

    Authors: We agree that the ablation results show reflection contributes the larger share of the mitigation effect, and that the paper should acknowledge this more explicitly. However, we would push back slightly on the implication that the metadata augmentation component is not worth its complexity, for two reasons. First, the additional reduction from 2.19% to 0.04% trial-level ASR (and from 3.16% to 0.13% case-level ASR) represents a 55x and 24x relative reduction respectively. While the absolute reduction is small, in a security context where the baseline is already low, this additional factor matters. Second, the ablation also shows that metadata quality matters: under Post-reflection, identified risk descriptions (0.04%) substantially outperform generic declarations (0.67%) and incorrect descriptions (0.17%), demonstrating that the risk identification provides meaningful guidance beyond generic reflection. That said, we agree the paper should be more transparent about the distribution of effort. We will revise Section 6.3 to explicitly state that reflection is the primary driver of the mitigation effect, add a discussion of the relative contributions, and address the question of whether metadata augmentation is worth its complexity by arguing for the complementary value described above. We will also adjust the framing in the introduction and abstract to avoid implying that metadata augmentation is the sole or primary mechanism. revision: partial

Circularity Check

1 steps flagged

No significant circularity: the defense is evaluated against a self-constructed benchmark, but the benchmark is grounded in independently collected CVEs and the defense logic is not defined in terms of the benchmark.

specific steps
  1. fitted input called prediction [Section 5 (Benchmark) and Section 6.2 (RQ1 Effectiveness, Table 6)]
    "Based on the 53 vulnerabilities collected in our empirical study, we construct a benchmark of malicious MCP attacks to evaluate whether LLM agents can be induced to exploit taint-style vulnerabilities exposed by MCP servers. ... In total, our benchmark contains 792 attack prompts, covering five representative taint-style attack objectives, ten jailbreak strategies, five categories of taint-style vulnerabilities, 45 MCP servers, and 130 MCP tools. ... SPELLSMITH substantially reduces attack success. With identified risk descriptions and invocation reflection, the attack success rate drops to 0."

    The 792-prompt benchmark used to evaluate SPELLSMITH is constructed by the same authors from the same 53 vulnerabilities that motivated SPELLSMITH's design. The attack objectives and taint-style data flows exercised by the benchmark are the same ones SPELLSMITH's Risk Identification module (Section 4.2) is designed to detect. This creates a partial fit-to-evaluation alignment: the defense identifies risks from tool metadata using the same CWE categories and taint-style patterns that the benchmark attacks are designed to trigger. However, this is not a strict definitional circularity — SPELLSMITH's risk identification operates on tool metadata (name, description, input schema) and does not take the benchmark prompts as input. The benchmark is grounded in real CVEs collected from NVD and the

full rationale

The paper's central claim — that SPELLSMITH reduces attack success rate to 0.04% — is not circular by construction. SPELLSMITH's defense logic (risk identification, metadata augmentation, reflection) is defined in terms of tool metadata and CWE categories, not in terms of the 792 benchmark prompts. The benchmark is constructed from independently collected CVEs (NVD query + GitHub advisories), and the jailbreak strategies are adapted from prior work (Liu et al. [29]). The partial alignment between the benchmark's attack patterns and SPELLSMITH's risk identification logic is a legitimate evaluation-design concern (the defense is tested against attacks matching its own threat model), but it does not constitute definitional circularity where the output equals the input by construction. The ablation study (Table 6) provides independent evidence: the 'Wrong' and 'Decl.' metadata settings show that the specific risk identification matters (0.17% vs 0.67% trial ASR under post-reflection), and reflection alone (without metadata augmentation) achieves 2.19% — these are not forced by construction. The one minor concern is that the benchmark and defense share the same authors and the same vulnerability taxonomy, which could bias the evaluation toward the defense's strengths, but this is a threat to external validity, not circularity. Score: 2.

Axiom & Free-Parameter Ledger

4 free parameters · 3 axioms · 0 invented entities

The paper introduces no new mathematical entities, particles, or physical constructs. The free parameters are primarily implementation choices (LLM model, prompt designs) that are fitted to the evaluation but not independently validated. The key axiom—that LLMs reliably follow description-embedded security guidance—is tested empirically but only against non-adaptive attacks.

free parameters (4)
  • LLM choice = GPT-4o
    Only GPT-4o is evaluated; the effectiveness is likely model-dependent.
  • Attack prompt set = 792 prompts
    Constructed by the authors; the 0.04% ASR is measured against this specific set.
  • Reflection prompt design = Not specified
    The exact prompt used for the self-reflection module is not provided in the paper.
  • Description augmentation template = Not specified
    The exact template or prompt used to generate augmented descriptions is not provided.
axioms (3)
  • domain assumption Taint-style vulnerabilities are the dominant class in MCP servers
    Based on the authors' analysis of 53 CVEs (Section 3.3), 81.13% are taint-style. This is used to motivate the entire approach.
  • ad hoc to paper LLMs can be guided by tool descriptions to avoid unsafe behavior
    The central design assumption (Section 4.1) is that embedding security constraints in the Description field will influence LLM planning. This is supported by the experiments but is a behavioral assumption, not a proven property.
  • standard math Self-reflection improves LLM safety decisions
    Prior work [20, 43] supports this; the paper applies it to MCP tool invocation (Section 4.4).

pith-pipeline@v1.1.0-glm · 20887 in / 1997 out tokens · 459380 ms · 2026-07-09T10:06:37.189504+00:00 · methodology

0 comments
read the original abstract

Large language models (LLMs) are increasingly deployed as autonomous agents that interact with external tools and services via the Model Context Protocol (MCP), a standardized interface for dynamic tool invocation. While MCP simplifies integration, it also expands the attack surface and enables generic exploits across multiple servers. Despite prior work on malicious MCP servers, the vulnerability landscape of MCP servers remains underexplored. In this work, we systematically analyze MCP server vulnerabilities, focusing on metadata characteristics, vulnerable code patterns, and community responses. Our study reveals that taint-style vulnerabilities constitute a substantial fraction of MCP server vulnerabilities, require significant code modifications to remediate, and are met with slow community responses. Motivated by these findings, we propose SPELLSMITH, presenting a novel textbased avenue for shielding taint-style vulnerabilities in MCP servers. In particular, SPELLSMITH analyzes the high-risk capabilities exposed by an MCP server and combines them with tool descriptions and parameter semantics to identify potential taint-style vulnerability risks, thereby constructing a tool-level risk profile. Then, SPELLSMITH leverages the Description property of the protocol to embed behavioral guidance (Description Enhancement Module) and exploits LLMs' self-reflection capabilities (Self-Reflection Module) to iteratively evaluate and refine outputs. By strengthening LLM internal decision-making, SPELLSMITH provides an active and unified mitigation strategy that generalizes across multiple vulnerabilities, reducing reliance on context-specific code-level fixes. Our experiments demonstrate that SPELLSMITH effectively mitigates taint-style vulnerability exploitation in MCP servers, highlighting its practical applicability and advantages over traditional code-level mitigations.

Figures

Figures reproduced from arXiv: 2607.07461 by Chengyao Sun, Jiaheng Fu, Kaifeng Huang, Ruixiang Wu, Yang Shi, Yihe Huang.

Figure 1
Figure 1. Figure 1: Overview of the MCP Workflow, Illustrated with an SSRF Vulnerability in the [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Example Vulnerable Code from the Markdownify MCP server (CVE-2025-5276) server. An MCP-based agent typically consists of the LLMs, MCP clients, and MCP servers, where each MCP server may expose multiple MCP tools. The MCP workflow is struc￾tured as follows: (1) Tool Registration. MCP servers publish tool metadata, including tool names, input/output schemas, which are registered with the MCP client and prov… view at source ↗
Figure 3
Figure 3. Figure 3: Application and functional categories for MCP [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

74 extracted references · 74 canonical work pages · 21 internal anchors

  1. [1]

    https://cloud.google.com/blo g/products/ai-machine-learning/announcing -official-mcp-support-for-google-services ,

    Announcing model context protocol (mcp) support for google services. https://cloud.google.com/blo g/products/ai-machine-learning/announcing -official-mcp-support-for-google-services ,

  2. [2]

    Accessed January 6, 2026

  3. [3]

    https://modelcontextprotoc ol.io/, 2026

    Model context protocol (mcp): An open standard for llm–tool integration. https://modelcontextprotoc ol.io/, 2026. Accessed January 6, 2026

  4. [4]

    https://developers.notion.com/gu ides/mcp/mcp, 2026

    Notion mcp. https://developers.notion.com/gu ides/mcp/mcp, 2026. Accessed January 6, 2026

  5. [5]

    Introducing the model context protocol,

    Anthropic. Introducing the model context protocol,

  6. [6]

    URL: https://www

    Accessed: 2026-01-25. URL: https://www. anthropic.com/news/model-context-protocol

  7. [7]

    AgentBound: Securing Execution Boundaries of AI Agents

    Christoph Bühler, Matteo Biagiola, Luca Di Grazia, and Guido Salvaneschi. Securing ai agent execution.arXiv preprint arXiv:2510.21236, 2025

  8. [8]

    Jail- breaking black box large language models in twenty queries

    Patrick Chao, Alexander Robey, Edgar Dobriban, Hamed Hassani, George J Pappas, and Eric Wong. Jail- breaking black box large language models in twenty queries. In2025 IEEE Conference on Secure and Trust- worthy Machine Learning (SaTML), pages 23–42. IEEE, 2025

  9. [9]

    MCPToolBench++: A Large Scale AI Agent Model Context Protocol MCP Tool Use Benchmark

    Shiqing Fan, Xichen Ding, Liang Zhang, and Linjian Mo. Mcptoolbench++: A large scale ai agent model con- text protocol mcp tool use benchmark.arXiv preprint arXiv:2508.07575, 2025

  10. [10]

    Operation mango: Scal- able discovery of {Taint-Style} vulnerabilities in binary firmware services

    Wil Gibbs, Arvind S Raj, Jayakrishna Menon Va- dayath, Hui Jun Tay, Justin Miller, Akshay Ajayan, Zion Leonahenahe Basque, Audrey Dutcher, Fangzhou Dong, Xavier Maso, et al. Operation mango: Scal- able discovery of {Taint-Style} vulnerabilities in binary firmware services. In33rd USENIX Security Symposium (USENIX Security 24), pages 7123–7139, 2024

  11. [11]

    Github rest api documentation, version 2022-11-28

    GitHub, Inc. Github rest api documentation, version 2022-11-28. Online documentation, 2022. https: //docs.github.com/en/rest?apiVersion=2022-1 1-28

  12. [12]

    {PAPILLON}: Efficient and stealthy fuzz {Testing-Powered} jailbreaks for {LLMs}

    Xueluan Gong, Mingzhe Li, Yilin Zhang, Fengyuan Ran, Chen Chen, Yanjiao Chen, Qian Wang, and Kwok- Yan Lam. {PAPILLON}: Efficient and stealthy fuzz {Testing-Powered} jailbreaks for {LLMs}. In34th USENIX Security Symposium (USENIX Security 25), pages 2401–2420, 2025

  13. [13]

    A mea- surement study of model context protocol.arXiv e- prints, pages arXiv–2509, 2025

    Hechuan Guo, Yongle Hao, Yue Zhang, Minghui Xu, Peizhuo Lyu, Jiezhi Chen, and Xiuzhen Cheng. A mea- surement study of model context protocol.arXiv e- prints, pages arXiv–2509, 2025

  14. [14]

    Model Context Protocol (MCP) at First Glance: Studying the Security and Maintainability of MCP Servers

    Mohammed Mehedi Hasan, Hao Li, Emad Fallahzadeh, Gopi Krishnan Rajbahadur, Bram Adams, and Ahmed E Hassan. Model context protocol (mcp) at first glance: Studying the security and maintainability of mcp servers. arXiv preprint arXiv:2506.13538, 2025

  15. [15]

    Vmud: Detecting recurring vulnerabili- ties with multiple fixing functions via function selection and semantic equivalent statement matching

    Kaifeng Huang, Chenhao Lu, Yiheng Cao, Bihuan Chen, and Xin Peng. Vmud: Detecting recurring vulnerabili- ties with multiple fixing functions via function selection and semantic equivalent statement matching. InPro- ceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, pages 3958– 3972, 2024

  16. [16]

    Baseline Defenses for Adversarial Attacks Against Aligned Language Models

    Neel Jain, Avi Schwarzschild, Yuxin Wen, Gowthami Somepalli, John Kirchenbauer, Ping-yeh Chiang, Micah Goldblum, Aniruddha Saha, Jonas Geiping, and Tom Goldstein. Baseline defenses for adversarial attacks against aligned language models.arXiv preprint arXiv:2309.00614, 2023

  17. [17]

    Improved Techniques for Optimization-Based Jailbreaking on Large Language Models

    Xiaojun Jia, Tianyu Pang, Chao Du, Yihao Huang, Jindong Gu, Yang Liu, Xiaochun Cao, and Min Lin. Improved techniques for optimization-based jailbreak- ing on large language models.arXiv preprint arXiv:2405.21018, 2024

  18. [18]

    Artprompt: Ascii art-based jailbreak attacks against aligned llms

    Fengqing Jiang, Zhangchen Xu, Luyao Niu, Zhen Xiang, Bhaskar Ramasubramanian, Bo Li, and Radha Pooven- dran. Artprompt: Ascii art-based jailbreak attacks against aligned llms. InProceedings of the 62nd An- nual Meeting of the Association for Computational Lin- guistics (Volume 1: Long Papers), pages 15157–15173, 2024

  19. [19]

    Mcip: Protecting mcp safety via model contextual integrity protocol

    Huihao Jing, Haoran Li, Wenbin Hu, Qi Hu, Xu Heli, Tianshu Chu, Peizhao Hu, and Yangqiu Song. Mcip: Protecting mcp safety via model contextual integrity protocol. InProceedings of the 2025 Conference on Empirical Methods in Natural Language Processing, pages 1177–1194, 2025

  20. [20]

    PhD thesis, Massachusetts Institute of Technology, 2024

    Zachary D Johnson.Generation, Detection, and Eval- uation of Role-play based Jailbreak attacks in Large Language Models. PhD thesis, Massachusetts Institute of Technology, 2024

  21. [21]

    Scaling javascript abstract interpretation to detect and exploit node

    Mingqing Kang, Yichao Xu, Song Li, Rigel Gjomemo, Jianwei Hou, VN Venkatakrishnan, and Yinzhi Cao. Scaling javascript abstract interpretation to detect and exploit node. js taint-style vulnerability. InProceedings of the 2023 IEEE Symposium on Security and Privacy (SP), pages 1059–1076. IEEE, 2023

  22. [22]

    Break the breakout: Reinventing lm defense against jailbreak attacks with self-refine

    Heegyu Kim and Hyunsouk Cho. Break the breakout: Reinventing lm defense against jailbreak attacks with self-refine. InProceedings of the 5th Workshop on Trust- worthy NLP (TrustNLP 2025), pages 82–102, 2025. 11

  23. [23]

    Certifying LLM Safety against Adversarial Prompting

    Aounon Kumar, Chirag Agarwal, Suraj Srinivas, Aaron Jiaxun Li, Soheil Feizi, and Himabindu Lakkaraju. Certifying llm safety against adversarial prompting. arXiv preprint arXiv:2309.02705, 2023

  24. [24]

    MCP Guardian: A Security-First Layer for Safeguarding MCP-Based AI System

    Sonu Kumar, Anubhav Girdhar, Ritesh Patil, and Di- vyansh Tripathi. Mcp guardian: A security-first layer for safeguarding mcp-based ai system.arXiv preprint arXiv:2504.12757, 2025

  25. [25]

    Don’t believe everything you read: Understanding and measuring mcp behav- ior under misleading tool descriptions.arXiv preprint arXiv:2602.03580, 2026

    Zhihao Li, Boyang Ma, Xuelong Dai, Minghui Xu, Yue Zhang, Biwei Yan, and Kun Li. Don’t believe everything you read: Understanding and measuring mcp behav- ior under misleading tool descriptions.arXiv preprint arXiv:2602.03580, 2026

  26. [26]

    A Large-Scale Evolvable Dataset for Model Context Protocol Ecosystem and Security Analysis

    Zhiwei Lin, Bonan Ruan, Jiahao Liu, and Weibo Zhao. A large-scale evolvable dataset for model context pro- tocol ecosystem and security analysis.arXiv preprint arXiv:2506.23474, 2025

  27. [27]

    Detecting taint-style vulnerabilities in microservice- structured web applications

    Fengyu Liu, Yuan Zhang, Tian Chen, Youkun Shi, Guan- gliang Yang, Zihan Lin, Min Yang, Junyao He, and Qi Li. Detecting taint-style vulnerabilities in microservice- structured web applications. In2025 IEEE Symposium on Security and Privacy (SP), pages 972–990, 2025

  28. [28]

    Make agent defeat agent: Au- tomatic detection of {Taint-Style} vulnerabilities in {LLM-based} agents

    Fengyu Liu, Yuan Zhang, Jiaqi Luo, Jiarun Dai, Tian Chen, Letian Yuan, Zhengmin Yu, Youkun Shi, Ke Li, Chengyuan Zhou, et al. Make agent defeat agent: Au- tomatic detection of {Taint-Style} vulnerabilities in {LLM-based} agents. In34th USENIX Security Sympo- sium (USENIX Security 25), pages 3767–3786, 2025

  29. [29]

    Demystifying rce vulnerabilities in llm- integrated apps

    Tong Liu, Zizhuang Deng, Guozhu Meng, Yuekang Li, and Kai Chen. Demystifying rce vulnerabilities in llm- integrated apps. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, pages 1716–1730, 2024

  30. [30]

    AutoDAN: Generating Stealthy Jailbreak Prompts on Aligned Large Language Models

    Xiaogeng Liu, Nan Xu, Muhao Chen, and Chaowei Xiao. Autodan: Generating stealthy jailbreak prompts on aligned large language models.arXiv preprint arXiv:2310.04451, 2023

  31. [31]

    Jailbreaking ChatGPT via Prompt Engineering: An Empirical Study

    Yi Liu, Gelei Deng, Zhengzi Xu, Yuekang Li, Yaowen Zheng, Ying Zhang, Lida Zhao, Tianwei Zhang, Kai- long Wang, and Yang Liu. Jailbreaking chatgpt via prompt engineering: An empirical study.arXiv preprint arXiv:2305.13860, 2023

  32. [32]

    Tchecker: Precise static inter-procedural analysis for detecting taint-style vulnerabilities in php applications

    Changhua Luo, Penghui Li, and Wei Meng. Tchecker: Precise static inter-procedural analysis for detecting taint-style vulnerabilities in php applications. InPro- ceedings of the 2022 ACM SIGSAC Conference on Com- puter and Communications Security (CCS), pages 2175– 2188, 2022

  33. [33]

    Tree of attacks: Jailbreaking black-box llms automatically.Advances in Neural Information Processing Systems, 37:61065–61105, 2024

    Anay Mehrotra, Manolis Zampetakis, Paul Kassianik, Blaine Nelson, Hyrum Anderson, Yaron Singer, and Amin Karbasi. Tree of attacks: Jailbreaking black-box llms automatically.Advances in Neural Information Processing Systems, 37:61065–61105, 2024

  34. [34]

    When a patch goes bad: Exploring the properties of vulnerability-contributing commits

    Andrew Meneely, Harshavardhan Srinivasan, Ayemi Musa, Alberto Rodriguez Tejeda, Matthew Mokary, and Brian Spates. When a patch goes bad: Exploring the properties of vulnerability-contributing commits. In 2013 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, pages 65–74. IEEE, 2013

  35. [35]

    Llama guard 4: Model card and prompt formats,

    Meta. Llama guard 4: Model card and prompt formats,

  36. [36]

    URL: https://www.llama.com/docs/model -cards-and-prompt-formats/llama-guard-4/

  37. [37]

    Llama prompt guard: Model cards and prompt formats, 2025

    Meta. Llama prompt guard: Model cards and prompt formats, 2025. URL: https://www.llama.com/docs /model-cards-and-prompt-formats/prompt-gua rd/

  38. [38]

    MITRE ATT&CK: Adversarial Tactics, Techniques, and Common Knowledge

    MITRE Corporation. MITRE ATT&CK: Adversarial Tactics, Techniques, and Common Knowledge. https: //attack.mitre.org/. Accessed: 2026-06-16

  39. [39]

    Model context protocol python sdk

    modelcontextprotocol. Model context protocol python sdk. GitHub repository, 2024. https://github.com /modelcontextprotocol/python-sdk

  40. [40]

    National vulnerability database (nvd)

    National Institute of Standards and Technology (NIST). National vulnerability database (nvd). https://nvd. nist.gov/, 2026. Accessed: 2026-01-08

  41. [41]

    Commit 0284aa8 for patching the cve- 2025-5276 vulnerability, 2026

    NVD NIST. Commit 0284aa8 for patching the cve- 2025-5276 vulnerability, 2026. Accessed: 2026-01-25. URL: https://github.com/zcaceres/markdownif y-mcp/commit/0284aa8f34d32c65e20d8cda2d42 9b7943c9af03

  42. [42]

    Cve-2025-5276 detail, 2026

    NVD NIST. Cve-2025-5276 detail, 2026. Accessed: 2026-01-25. URL: https://nvd.nist.gov/vuln/de tail/cve-2025-5276

  43. [43]

    User comment of the commit 0284aa8 for patching the cve-2025-5276 vulnerability, 2026

    NVD NIST. User comment of the commit 0284aa8 for patching the cve-2025-5276 vulnerability, 2026. Ac- cessed: 2026-01-25. URL: https://github.com/zca ceres/markdownify-mcp/commit/0284aa8f34d3 2c65e20d8cda2d429b7943c9af03#r160156463

  44. [44]

    The official website of GPT-4o

    OpenAI. The official website of GPT-4o. https://op enai.com/index/hello-gpt-4o/

  45. [45]

    Prompt-to-sql injections in llm-integrated web applications: Risks and defenses

    Rodrigo Pedro, Miguel E Coimbra, Daniel Castro, Paulo Carreira, and Nuno Santos. Prompt-to-sql injections in llm-integrated web applications: Risks and defenses. InProceedings of the IEEE/ACM 47th International 12 Conference on Software Engineering, pages 1768–1780, 2025

  46. [46]

    LLM Self Defense: By Self Examination, LLMs Know They Are Being Tricked

    M Phute, A Helbling, M Hull, S Peng, S Szyller, C Cor- nelius, DH Chau, and Self Defense LLM. By self ex- amination, llms know they are being tricked. arxiv 2023. arXiv preprint arXiv:2308.07308

  47. [47]

    SmoothLLM: Defending Large Language Models Against Jailbreaking Attacks

    Alexander Robey, Eric Wong, Hamed Hassani, and George J Pappas. Smoothllm: Defending large language models against jailbreaking attacks.arXiv preprint arXiv:2310.03684, 2023

  48. [48]

    do anything now

    Xinyue Shen, Zeyuan Chen, Michael Backes, Yun Shen, and Yang Zhang. " do anything now": Characterizing and evaluating in-the-wild jailbreak prompts on large language models. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, pages 1671–1685, 2024

  49. [49]

    Security debt in llm agent applications: A measurement study of vulnerabilities and mitigation trade-offs

    Zhuoxiang Shen, Jiarun Dai, Yuan Zhang, and Min Yang. Security debt in llm agent applications: A measurement study of vulnerabilities and mitigation trade-offs

  50. [50]

    Beyond the Protocol: Unveiling Attack Vectors in the Model Context Protocol (MCP) Ecosystem

    Hao Song, Yiming Shen, Wenxuan Luo, Leixin Guo, Ting Chen, Jiashui Wang, Beibei Li, Xiaosong Zhang, and Jiachi Chen. Beyond the protocol: Unveiling attack vectors in the model context protocol ecosystem.arXiv preprint arXiv:2506.02040, 2025

  51. [51]

    Help or Hurdle? Rethinking Model Context Protocol-Augmented Large Language Models

    Wei Song, Haonan Zhong, Ziqi Ding, Jingling Xue, and Yuekang Li. Help or hurdle? rethinking model con- text protocol-augmented large language models.arXiv preprint arXiv:2508.12566, 2025

  52. [52]

    Mpma: Preference manipulation attack against model context protocol.arXiv preprint arXiv:2505.11154, 2025

    Zihan Wang, Rui Zhang, Yu Liu, Wenshu Fan, Wenbo Jiang, Qingchuan Zhao, Hongwei Li, and Guowen Xu. Mpma: Preference manipulation attack against model context protocol.arXiv preprint arXiv:2505.11154, 2025

  53. [53]

    Jailbreak and Guard Aligned Language Models with Only Few In-Context Demonstrations

    Zeming Wei, Yifei Wang, Ang Li, Yichuan Mo, and Yisen Wang. Jailbreak and guard aligned language models with only few in-context demonstrations.arXiv preprint arXiv:2310.06387, 2023

  54. [54]

    Silent taint-style vulnerability fixes identifica- tion

    Zhongzhen Wen, Jiayuan Zhou, Minxue Pan, Shaohua Wang, Xing Hu, Tongtong Xu, Tian Zhang, and Xuan- dong Li. Silent taint-style vulnerability fixes identifica- tion. InProceedings of the 33rd ACM SIGSOFT Inter- national Symposium on Software Testing and Analysis, pages 428–439, 2024

  55. [55]

    Defending chatgpt against jailbreak attack via self- reminder

    Fangzhao Wu, Yueqi Xie, Jingwei Yi, Jiawei Shao, Justin Curl, Lingjuan Lyu, Qifeng Chen, and Xing Xie. Defending chatgpt against jailbreak attack via self- reminder. 2023

  56. [56]

    Mcpzoo: A large-scale dataset of runnable model context protocol servers for ai agent, 2025.arXiv:2512.15144

    Mengying Wu, Pei Chen, Geng Hong, Baichao An, Jin- song Chen, Binwang Wan, Xudong Pan, Jiarun Dai, and Min Yang. Mcpzoo: A large-scale dataset of runnable model context protocol servers for ai agent, 2025.arXiv:2512.15144

  57. [57]

    Commitshield: Tracking vulner- ability introduction and fix in version control systems

    Zhaonan Wu, Yanjie Zhao, Chen Wei, Zirui Wan, Yue Liu, and Haoyu Wang. Commitshield: Tracking vulner- ability introduction and fix in version control systems. In2025 IEEE/ACM 47th International Conference on Software Engineering: Companion Proceedings (ICSE- Companion), pages 279–290. IEEE, 2025

  58. [58]

    Mcpmark: A benchmark for stress-testing realistic and comprehen- sive mcp use.arXiv preprint arXiv:2509.24002, 2025

    Zijian Wu, Xiangyan Liu, Xinyuan Zhang, Lingjun Chen, Fanqing Meng, Lingxiao Du, Yiran Zhao, Fan- shi Zhang, Yaoqi Ye, Jiawei Wang, et al. Mcpmark: A benchmark for stress-testing realistic and comprehen- sive mcp use.arXiv preprint arXiv:2509.24002, 2025

  59. [59]

    Mcp-guard: A defense framework for model context protocol integrity in large language model applications.arXiv preprint arXiv:2508.10991, 2025

    Wenpeng Xing, Zhonghao Qi, Yupeng Qin, Yilin Li, Caini Chang, Jiahui Yu, Changting Lin, Zhenzhen Xie, and Meng Han. Mcp-guard: A defense framework for model context protocol integrity in large language model applications.arXiv preprint arXiv:2508.10991, 2025

  60. [60]

    Automatic inference of search patterns for taint-style vulnerabilities

    Fabian Yamaguchi, Alwin Maier, Hugo Gascon, and Konrad Rieck. Automatic inference of search patterns for taint-style vulnerabilities. In2015 IEEE symposium on security and privacy, pages 797–812. IEEE, 2015

  61. [61]

    The Dark Side of Trust: Authority Citation-Driven Jailbreak Attacks on Large Language Models

    Xikang Yang, Xuehai Tang, Jizhong Han, and Songlin Hu. The dark side of trust: Authority citation-driven jail- break attacks on large language models.arXiv preprint arXiv:2411.11407, 2024

  62. [62]

    Mcpsecbench: A systematic security benchmark and playground for testing model context protocols.arXiv preprint arXiv:2508.13220, 2025

    Yixuan Yang, Daoyuan Wu, and Yufan Chen. Mcpsecbench: A systematic security benchmark and playground for testing model context protocols.arXiv preprint arXiv:2508.13220, 2025

  63. [63]

    Precise discovery of more taint-style vulnerabilities in embedded firmware

    Xiaokang Yin, Ruijie Cai, Xiaoya Zhu, Qichao Yang, Enzhou Song, and Shengli Liu. Precise discovery of more taint-style vulnerabilities in embedded firmware. IEEE Transactions on Dependable and Secure Comput- ing, 2024

  64. [64]

    Low-Resource Languages Jailbreak GPT-4

    Zheng-Xin Yong, Cristina Menghini, and Stephen H Bach. Low-resource languages jailbreak gpt-4.arXiv preprint arXiv:2310.02446, 2023

  65. [65]

    GPTFUZZER: Red Teaming Large Language Models with Auto-Generated Jailbreak Prompts

    Jiahao Yu, Xingwei Lin, Zheng Yu, and Xinyu Xing. Gptfuzzer: Red teaming large language models with auto-generated jailbreak prompts.arXiv preprint arXiv:2309.10253, 2023

  66. [66]

    Don’t listen to me: Understanding and exploring jailbreak prompts 13 of large language models

    Zhiyuan Yu, Xiaogeng Liu, Shunning Liang, Zach Cameron, Chaowei Xiao, and Ning Zhang. Don’t listen to me: Understanding and exploring jailbreak prompts 13 of large language models. In33rd USENIX Security Symposium (USENIX Security 24), pages 4675–4692, 2024

  67. [67]

    GPT-4 Is Too Smart To Be Safe: Stealthy Chat with LLMs via Cipher

    Youliang Yuan, Wenxiang Jiao, Wenxuan Wang, Jen-tse Huang, Pinjia He, Shuming Shi, and Zhaopeng Tu. Gpt- 4 is too smart to be safe: Stealthy chat with llms via cipher.arXiv preprint arXiv:2308.06463, 2023

  68. [68]

    How johnny can persuade llms to jailbreak them: Rethinking persuasion to chal- lenge ai safety by humanizing llms

    Yi Zeng, Hongpeng Lin, Jingwen Zhang, Diyi Yang, Ruoxi Jia, and Weiyan Shi. How johnny can persuade llms to jailbreak them: Rethinking persuasion to chal- lenge ai safety by humanizing llms. InProceedings of the 62nd Annual Meeting of the Association for Com- putational Linguistics (Volume 1: Long Papers), pages 14322–14350, 2024

  69. [69]

    AutoDefense: Multi-Agent LLM Defense against Jailbreak Attacks

    Yifan Zeng, Yiran Wu, Xiao Zhang, Huazheng Wang, and Qingyun Wu. Autodefense: Multi-agent llm defense against jailbreak attacks.arXiv preprint arXiv:2403.04783, 2024

  70. [70]

    Mcp security bench (msb): Bench- marking attacks against model context protocol in llm agents.arXiv preprint arXiv:2510.15994, 2025

    Dongsen Zhang, Zekun Li, Xu Luo, Xuannan Liu, Peipei Li, and Wenjun Xu. Mcp security bench (msb): Bench- marking attacks against model context protocol in llm agents.arXiv preprint arXiv:2510.15994, 2025

  71. [71]

    Statically discov- ering high-order taint style vulnerabilities in os kernels

    Hang Zhang, Weiteng Chen, Yu Hao, Guoren Li, Yizhuo Zhai, Xiaochen Zou, and Zhiyun Qian. Statically discov- ering high-order taint style vulnerabilities in os kernels. InProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 811– 824, 2021

  72. [72]

    Intention analysis makes llms a good jailbreak defender

    Yuqi Zhang, Liang Ding, Lefei Zhang, and Dacheng Tao. Intention analysis makes llms a good jailbreak defender. InProceedings of the 31st International Conference on Computational Linguistics, pages 2947–2968, 2025

  73. [73]

    Defending large language models against jailbreaking attacks through goal priori- tization

    Zhexin Zhang, Junxiao Yang, Pei Ke, Fei Mi, Hongning Wang, and Minlie Huang. Defending large language models against jailbreaking attacks through goal priori- tization. InProceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), pages 8865–8887, 2024

  74. [74]

    Universal and Transferable Adversarial Attacks on Aligned Language Models

    Andy Zou, Zifan Wang, Nicholas Carlini, Milad Nasr, J Zico Kolter, and Matt Fredrikson. Universal and trans- ferable adversarial attacks on aligned language models. arXiv preprint arXiv:2307.15043, 2023. 14