Pith. sign in

REVIEW 31 cited by

MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits

Not yet reviewed by Pith; the record is open.

This paper has not been read by Pith yet. Machine review is queued; the pith claim, tier, and objections will appear here once it completes.

SPECIMEN: schema-true, not a live event

T0 review · schema-true

One-sentence machine reading of the paper's core claim.

pith:XXXXXXXX · record.json · timestamp

arxiv 2504.03767 v2 pith:2DETMO2N submitted 2025-04-02 cs.CR cs.AIcs.LG

MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits

classification cs.CR cs.AIcs.LG
keywords securityllmsservertooltoolsagenticmcpsafetyscannerprotocol
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved
0 comments
read the original abstract

To reduce development overhead and enable seamless integration between potential components comprising any given generative AI application, the Model Context Protocol (MCP) (Anthropic, 2024) has recently been released and subsequently widely adopted. The MCP is an open protocol that standardizes API calls to large language models (LLMs), data sources, and agentic tools. By connecting multiple MCP servers, each defined with a set of tools, resources, and prompts, users are able to define automated workflows fully driven by LLMs. However, we show that the current MCP design carries a wide range of security risks for end users. In particular, we demonstrate that industry-leading LLMs may be coerced into using MCP tools to compromise an AI developer's system through various attacks, such as malicious code execution, remote access control, and credential theft. To proactively mitigate these and related attacks, we introduce a safety auditing tool, MCPSafetyScanner, the first agentic tool to assess the security of an arbitrary MCP server. MCPScanner uses several agents to (a) automatically determine adversarial samples given an MCP server's tools and resources; (b) search for related vulnerabilities and remediations based on those samples; and (c) generate a security report detailing all findings. Our work highlights serious security issues with general-purpose agentic workflows while also providing a proactive tool to audit MCP server safety and address detected vulnerabilities before deployment. The described MCP server auditing tool, MCPSafetyScanner, is freely available at: https://github.com/johnhalloran321/mcpSafetyScanner

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 31 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. A First Measurement Study on Authentication Security in Real-World Remote MCP Servers

    cs.CR 2026-05 conditional novelty 8.0

    First measurement study of 7,973 remote MCP servers finds 40.55% lack authentication and all 119 tested OAuth servers have flaws that risk data leaks or account takeover.

  2. Parasites in the Toolchain: A Large-Scale Analysis of Attacks on the MCP Ecosystem

    cs.CR 2025-09 unverdicted novelty 8.0

    This paper defines a new Parasitic Toolchain Attack pattern (MCP-UPD) that assembles legitimate tools into privacy-exfiltrating workflows and reports the first large-scale scan of 12230 MCP tools across 1360 servers r...

  3. Model Context Protocol (MCP) at First Glance: Studying the Security and Maintainability of MCP Servers

    cs.SE 2025-06 conditional novelty 8.0

    First study of 1,899 MCP servers finds eight distinct vulnerabilities (only three traditional), 7.2% with general issues, 5.5% with tool poisoning, and 66% with code smells, urging MCP-specific security practices.

  4. ShareLock: A Stealthy Multi-Tool Threshold Poisoning Attack Against MCP

    cs.CR 2026-06 unverdicted novelty 7.0

    ShareLock applies Shamir's threshold scheme to distribute poisoning payloads across multiple MCP tool descriptions, achieving information-theoretic secrecy and over 90% average attack success rate in multi-tool scenarios.

  5. "What Happens Locally, Leaks Globally": Detecting Privacy Leakage Risks in MCP Servers

    cs.CR 2026-06 unverdicted novelty 7.0

    MCPPrivacyDetector applies cross-language taint analysis to detect protocol-induced privacy leaks in MCP servers, reporting >10% leakage rate across 10,655 real-world instances.

  6. LACUNA: Safe Agents as Recursive Program Holes

    cs.AI 2026-05 unverdicted novelty 7.0

    LACUNA defines agent actions as typed calls agent[T](task) that LLMs complete with code, which is type-checked before running to enforce safety bounds and enable control-flow patterns like loops and sub-agents.

  7. Skill Description Deception Attack against Task Routing in Internet of Agents

    cs.MA 2026-05 conditional novelty 7.0

    Malicious agents can deceive LLM-based task routers in Internet of Agents systems by generating fake skill descriptions, achieving up to 98% success rate across nine domains.

  8. DADL: A Declarative Description Language for Enterprise Tool Libraries in LLM Agent Systems

    cs.SE 2026-05 unverdicted novelty 7.0

    DADL is a declarative YAML format that lets a single runtime handle many REST API tools for LLM agents, cutting tool advertisement context cost by 142x from 142,000 to 1,000 tokens on a catalog of 1,833 definitions.

  9. MCP-DPT: A Defense-Placement Taxonomy and Coverage Analysis for Model Context Protocol Security

    cs.CR 2026-04 conditional novelty 7.0

    MCP-DPT creates a defense-placement taxonomy that organizes MCP threats and defenses across six architectural layers, revealing mostly tool-centric protections and gaps at orchestration, transport, and supply-chain layers.

  10. How Your Credentials Are Leaked by LLM Agent Skills: An Empirical Study

    cs.CR 2026-04 accept novelty 7.0

    Analysis of 17k LLM agent skills reveals 520 vulnerable ones with 1,708 leakage issues, primarily from debug output exposure, with a 10-pattern taxonomy and released dataset for future detection.

  11. From Component Manipulation to System Compromise: Understanding and Detecting Malicious MCP Servers

    cs.CR 2026-04 unverdicted novelty 7.0

    Presents a component-centric PoC dataset of malicious MCP servers and a two-stage behavioral deviation detector Connor achieving 94.6% F1-score.

  12. AgentBound: Securing Execution Boundaries of AI Agents

    cs.CR 2025-10 conditional novelty 7.0

    AgentBound is the first declarative access control framework for Model Context Protocol servers that generates policies from source code at 80.9% accuracy and blocks most threats in malicious servers with negligible overhead.

  13. Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions

    cs.CR 2025-03 unverdicted novelty 7.0

    MCP lifecycle is defined with four phases and 16 activities; a threat taxonomy of 16 scenarios is constructed, validated via case studies, and paired with phase-specific safeguards.

  14. From Legacy Documentation to OSCAL: An MCP-Based Agent Pipeline for Threat-Informed Continuous Compliance in Critical Infrastructure

    cs.CR 2026-07 conditional novelty 6.0

    An MCP-grounded eight-phase agent pipeline converts natural-language critical-infrastructure descriptions into source-verified knowledge graphs and schema-valid OSCAL SSP/SAR artifacts, with 0.90 CVE recall on a synth...

  15. Understanding and Evaluating Claw-like Agent Security Through a Computer-Systems Lens

    cs.CR 2026-06 unverdicted novelty 6.0

    The paper introduces SafeClawArena, a 406-task benchmark evaluating security failures in three Claw-like agent platforms across skill supply-chain, state exploitation, data flow, and prompt injection surfaces.

  16. SkillGuard: A Permission Framework for Agent Skills

    cs.CR 2026-06 unverdicted novelty 6.0

    SkillGuard presents a dual-plane permission framework for agent skills that achieves 99.76% taxonomy coverage and reduces attack success rates in evaluations on 315 skills.

  17. Remembering More, Risking More: Longitudinal Safety Risks in Memory-Equipped LLM Agents

    cs.AI 2026-05 unverdicted novelty 6.0

    Memory-equipped LLM agents exhibit increasing safety violation rates as memory accumulates across independent tasks, termed temporal memory contamination, detected via a new trigger-probe protocol.

  18. Leveraging RAG for Training-Free Alignment of LLMs

    cs.LG 2026-05 unverdicted novelty 6.0

    RAG-Pref is a training-free RAG-based alignment technique that conditions LLMs on contrastive preference samples during inference, yielding over 3.7x average improvement in agentic attack refusals when combined with o...

  19. Unsafe by Flow: Uncovering Bidirectional Data-Flow Risks in MCP Ecosystem

    cs.SE 2026-05 unverdicted novelty 6.0

    MCP-BiFlow detects 93.8% of known bidirectional data-flow vulnerabilities in MCP servers and identifies 118 confirmed issues across 87 real-world servers from a scan of 15,452 repositories.

  20. ClawGuard: A Runtime Security Framework for Tool-Augmented LLM Agents Against Indirect Prompt Injection

    cs.CR 2026-04 unverdicted novelty 6.0

    ClawGuard enforces user-derived access constraints at tool-call boundaries to block indirect prompt injection in tool-augmented LLM agents across web, MCP, and skill injection channels.

  21. ClawGuard: A Runtime Security Framework for Tool-Augmented LLM Agents Against Indirect Prompt Injection

    cs.CR 2026-04 unverdicted novelty 6.0

    ClawGuard enforces deterministic, user-derived access constraints at tool boundaries to block indirect prompt injection without changing the underlying LLM.

  22. Tracking Capabilities for Safer Agents

    cs.AI 2026-03 unverdicted novelty 6.0

    AI agents can generate code in a capability-safe Scala dialect that statically prevents information leakage and malicious side effects while preserving task performance.

  23. Semantic Attacks on Tool-Augmented LLMs: Securing the Model Context Protocol Against Descriptor-Level Manipulation

    cs.CR 2025-12 unverdicted novelty 6.0

    Descriptor-level manipulation in the Model Context Protocol can drive LLMs to unsafe tool selections in up to 36% of cases; a layered defense of integrity checks, auxiliary-LLM vetting, and runtime guardrails reduces ...

  24. Formalizing the Safety, Security, and Functional Properties of Agentic AI Systems

    cs.AI 2025-10 unverdicted novelty 6.0

    Introduces host agent and task lifecycle models plus 30 temporal logic properties to enable formal verification of liveness, safety, completeness, and fairness in agentic AI systems.

  25. ClawHub Security Signals: When VirusTotal, Static Analysis, and SkillSpector Disagree

    cs.CR 2026-05 accept novelty 5.0

    Analysis of 67,453 OpenClaw skills shows three scanners overlap on at most 10.4% of combined positives, with 81.9% flagged by only one scanner and distinct profiles for malicious versus suspicious skills.

  26. VIPER-MCP: Detecting and Exploiting Taint-Style Vulnerabilities in Model Context Protocol Servers

    cs.CR 2026-05 unverdicted novelty 5.0

    VIPER-MCP detects and exploits taint-style vulnerabilities in Model Context Protocol servers via anchor-query static analysis and feedback-driven prompt evolution, uncovering 106 zero-day vulnerabilities across 39,884...

  27. From Language to Action: Enhancing LLM Task Efficiency with Task-Aware MCP Server Recommendation

    cs.SE 2026-04 unverdicted novelty 5.0

    Introduces Task2MCP dataset and T2MRec model for recommending MCP servers to LLM agents based on task semantics and engineering constraints.

  28. Security Threat Modeling for Emerging AI-Agent Protocols: A Comparative Analysis of MCP, A2A, Agora, and ANP

    cs.CR 2026-02 unverdicted novelty 5.0

    The paper identifies twelve protocol-level security risks across MCP, A2A, Agora, and ANP and quantifies wrong-provider tool execution risk in MCP via a measurement-driven case study on multi-server composition.

  29. Securing the AI Agent: A Unified Framework for Multi-Layer Agent Red Teaming

    cs.CR 2026-06 unverdicted novelty 4.0

    AI-Infra-Guard is an open-source multi-layer red-teaming framework that pairs deterministic rules, LLM auditing, black-box testing, and jailbreak harnesses with the infrastructure, protocol, behavior, and model layers...

  30. DeltaMCP: Incremental Regeneration via Spec-Aware Transformation for MCP servers

    cs.SE 2026-05 unverdicted novelty 4.0

    DeltaMCP introduces specification-aware incremental regeneration to keep MCP servers synchronized with evolving OpenAPI specifications.

  31. CASCADE: A Cascaded Hybrid Defense Architecture for Prompt Injection Detection in MCP-Based Systems

    cs.CR 2026-04 unverdicted novelty 4.0

    CASCADE is a cascaded hybrid detector that combines fast regex/entropy filtering, BGE embeddings with local LLM fallback, and output pattern checks to achieve 95.85% precision and 6.06% false-positive rate against pro...