REVIEW 3 major objections 68 references
MCP security scanners flag nearly all runtime servers as risky, but those alerts are not reliable enough for ecosystem claims.
Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →
T0 review · grok-4.5
2026-07-14 07:09 UTC pith:XGPZ4SV7
load-bearing objection Large runtime MCP corpus plus a multi-scanner reliability audit that actually lands; the 96.89% headline is a union statistic and the precision sample is imperfectly matched to it, but the unreliability conclusion still holds. the 3 major comments →
Rethinking MCP Security: A Large-Scale Study of Runtime MCP Servers and Security Scanner Reliability
The pith
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
On 37,288 interactable MCP servers, existing scanners report 96.89 percent as risky, yet those signals are unreliable: a stratified manual sample yields only 45.53 percent average precision, average pairwise Jaccard agreement across scanners is 15.66 percent, and scanners recover only 24.17 percent of a CVE-based ground-truth set. The paper therefore reframes the headline from “MCP servers are unsafe” to “current MCP security scanners are not yet reliable enough for ecosystem-level security claims.”
What carries the argument
MCPZoo: a multi-agent deployment framework (Generation, Verification, and Diagnosis agents) that converts in-the-wild repositories into Dockerized services, validates them with real MCP protocol interactions (stdio, SSE, Streamable HTTP), and yields 64,611 unique servers of which 37,288 support dynamic analysis.
Load-bearing premise
The unreliability claim depends on a manual sample of roughly 100 flagged servers plus a ground-truth set of only 10 CVEs on 38 servers being representative of scanner precision and recall at full ecosystem scale.
What would settle it
A larger independent re-labeling of scanner alerts, or a substantially larger CVE-matched corpus, that showed average precision well above 80 percent, recall well above 70 percent, and high cross-scanner agreement would overturn the claim that scanners are unreliable for ecosystem-level conclusions.
If this is right
- Near-97 percent scanner-flag rates should not be read as evidence that nearly all MCP servers are vulnerable.
- Ecosystem security measurement needs runtime-validated servers and validated scanners, not metadata-only checks on small curated sets.
- Template-driven duplication and weak out-of-the-box deployment practices multiply the instances that inherit the same flaws.
- Practical risk triage should surface multi-scanner agreement and validation status rather than treat single-scanner alerts as confirmed vulnerabilities.
- Future scanners need evidence grounded in reachable runtime behavior, not capability keywords or unvalidated model inference alone.
Where Pith is reading between the lines
- Agent platforms that auto-install popular MCP servers may systematically over-block or under-protect users depending on which scanner they trust.
- Markets that re-list near-identical template replicas will amplify both shared real flaws and clustered scanner false positives.
- The same multi-agent deploy-and-verify loop could serve as a continuous-integration gate for MCP package registries.
- Closing the precision–recall gap may require hybrid static data-flow analysis plus constrained dynamic probing rather than either style alone.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper constructs MCPZoo, a large runtime-enabled corpus of MCP servers obtained by multi-source collection and a multi-agent Generation–Verification–Diagnosis pipeline that produces Dockerized deployments validated by real MCP protocol handshakes and tools/list. From 156,842 raw market entries it retains 64,611 unique servers, of which 37,288 are interactable (57.7% agent success). Using this corpus it characterizes ecosystem structure (cross-market overlap, 28.3% code-level duplication, weak native deployability, long-tailed tool exposure with 37.66% high-capability tools) and evaluates eight public MCP security scanners under fixed configs. Scanners flag 96.89% of interactable servers as risky by union, yet a dual-reviewed stratified sample of 100 flagged servers yields only 45.53% average precision, pairwise Jaccard agreement is 15.66%, and recall on a 10-CVE / 38-server ground-truth set is 24.17%. The authors conclude that current scanners are not reliable enough for ecosystem-level security claims and release a public query interface over normalized reports.
Significance. If the reliability result holds, the paper substantially revises how the community should interpret MCP scanner outputs and provides the first large, protocol-validated runtime substrate for MCP security measurement. Strengths include operational success criteria (JSON-RPC initialize + tools/list), dual-reviewer human validation of deployments (κ=0.95) and precision labels (κ=0.87), controlled multi-scanner execution with a fixed local LLM backend, and an external CVE-mapped recall set rather than circular self-scoring. The public query interface and the scale jump relative to prior dynamic studies (Table 1) are concrete contributions that other groups can reuse. The work is timely for agent-tool security and directly actionable for scanner developers and MCP market operators.
major comments (3)
- §5.3 / Table 7: The headline claim that scanners are unreliable for ecosystem-level claims is motivated by the 96.89% union risk rate (§5.2, Table 6) but supported by an unweighted average precision of 45.53% over stratified sampled alerts. High-volume low-precision scanners (A.I.G dynamic 10.40%, Agent-Scan 28.21%, mcp-armor 20.34%) dominate the union. The manuscript should report (i) volume-weighted or server-level precision of the union (or of majority-vote / multi-scanner agreement strata) and (ii) confidence intervals or bootstrap estimates for the 100-server sample, so that the precision of the quantity used in the abstract is estimated rather than only per-scanner averages.
- §5.3 / Appendix D (Table 10): The CVE ground-truth set comprises only 10 CVEs affecting 38 servers and is heavily skewed toward command injection and credential leakage. Overall recall of 24.17% is therefore informative but thin for the strong claim of limited recall on confirmed issues. Either expand the set (additional NVD/GitHub-mapped MCP CVEs or a small hand-crafted exploit suite with reachable paths) or explicitly bound the recall claim to the covered vulnerability types and avoid treating 24.17% as a general ecosystem recall figure.
- §6.2 Deployment Bias and §4.2: 42.3% of unique servers remain non-interactable; failures are dominated by external credentials and infrastructure coupling (63.6%). Dynamic scanners and the 96.89% figure are defined only on the deployable subset. The paper should quantify whether non-deployable servers differ systematically in tool capability, market origin, or static scanner flags (MCPScan / A.I.G static can still run on source), and state how this selection may bias the reliability conclusion toward easier-to-sandbox projects.
Circularity Check
No load-bearing circularity: scanner unreliability is measured against independent manual review and public CVEs, not against scanner outputs or MCPZoo construction heuristics.
specific steps
-
self citation load bearing
[Section 7 Related Work, final paragraph]
"Our earlier MCPZoo preprint [63] introduced the initial dataset and automated deployment framework. This article extends that work with an expanded runtime corpus, ecosystem characterization, and a large-scale reliability evaluation and validation of MCP security scanners."
The citation is to a prior arXiv by largely the same authors. It is not load-bearing: the scanner precision/recall/Jaccard results are newly measured on the expanded corpus against independent human labels and public CVEs, so the central claim does not reduce to the earlier preprint.
full rationale
This is an empirical measurement paper. The central claim (scanners flag 96.89% of 37,288 interactable servers as risky yet average sampled precision is only 45.53%, pairwise Jaccard is 15.66%, and CVE recall is 24.17%) is obtained by running eight external scanners on MCPZoo, then validating a stratified sample of 100 flagged servers by two independent human reviewers (Cohen’s κ=0.87) under an explicit true-positive rule requiring concrete reachable unsafe behavior, plus a separate 10-CVE/38-server ground-truth set drawn from NVD. None of these quantities is defined from, or fitted to, the scanners’ own scores or the multi-agent deployment loop that built MCPZoo. The only self-reference is the lineage note that an earlier preprint by overlapping authors introduced the initial MCPZoo dataset; that citation is not used to justify the reliability numbers, uniqueness of any method, or any prediction. Deployment success (57.7%) and tool-capability statistics are descriptive measurements, not predictions derived from fitted parameters. Consequently there is no self-definitional step, no fitted-input-called-prediction, no uniqueness theorem imported from the authors, and no ansatz smuggled via citation. Score 1 reflects only the minor, non-load-bearing self-citation of the prior preprint.
Axiom & Free-Parameter Ledger
free parameters (4)
- max_build_attempts
- scanner_execution_timeout_and_iterations
- scanner_selection_star_threshold
- LLM_backend_for_agents_and_scanners
axioms (4)
- domain assumption A server supports dynamic analysis iff a compliant MCP client completes initialize and receives a schema-compliant tools/list response over stdio/SSE/HTTP.
- ad hoc to paper An alert is a true positive only when evidence shows concrete vulnerable behavior or a reachable unsafe data/control flow, not mere capability or suspicious wording.
- domain assumption Public market crawls plus MCP library/signature filters yield a representative view of the real-world MCP server population after URL and code-level dedup.
- domain assumption Standard container isolation and least-privilege sandboxing make large-scale execution of untrusted MCP servers ethically and operationally acceptable for measurement.
invented entities (2)
-
MCPZoo multi-agent deploy/repair/verify pipeline (Generation, Verification, Diagnosis agents)
no independent evidence
-
Unified risk taxonomy (Prompt Injection, Command Execution, Data Leakage, Other) mapping heterogeneous scanner labels
no independent evidence
read the original abstract
The Model Context Protocol (MCP) has rapidly established itself as a standard interface for enabling LLM-based agents to interact with external tools and services. As MCP servers are increasingly entrusted with security-sensitive operations, understanding their real-world risks has become critical. In practice, due to the absence of large-scale runtime MCP servers, such understanding largely relies on security scanners applied to a small number of cases, yet the reliability of these assessments remains unclear. In this study, we revisit how MCP security is measured. We present MCPZoo, the largest collection of MCP servers for dynamic analysis to date. MCPZoo is constructed through a multi-agent framework for transforming in-the-wild static repositories into dynamic services. The framework emulates how human experts build, diagnose, and iteratively repair deployment and runtime defects by combining environment inference with feedback-driven refinement. To ensure practical interactivity at runtime, the servers are validated via real protocol interactions. As a result, MCPZoo contains 64,611 unique MCP servers (113,927 in total), with more than 37,288 supporting dynamic analysis. Leveraging MCPZoo, we conduct the first ecosystem-scale measurement of MCP servers and the scanners that analyze them. While existing scanners report that 96.89% of servers are risky, we find that these signals are unreliable. In particular, manual validation shows that less than 50% of sampled alerts are true positives, and scanner outputs exhibit clear inconsistency across scanners. Overall, MCPZoo enables large-scale, reproducible measurement of MCP server security and exposes limitations of current scanning practices. We further release a public query interface to support practical risk assessment of MCP servers.
Figures
Reference graph
Works this paper leans on
-
[1]
AIbase. 2025. AIbase MCP. https://mcp.aibase.com. Accessed: 2025-12
2025
-
[2]
Aira Security. 2026. mcp-armor: MCP Configuration Scanner with Client-Aware Security Analysis. https://github.com/aira-security/mcp-armor
2026
-
[3]
Ant Group. 2025. MCPScan: Security Analysis Tool for MCP Servers. https: //github.com/antgroup/MCPScan. GitHub repository. 13 Chen et al
2025
-
[4]
Anthropic. 2024. Model Context Protocol (MCP) Specification. https://modelc ontextprotocol.io/docs/learn/architecture Accessed: 2025-12
2024
-
[5]
Anthropic. 2025. Donating the Model Context Protocol and Establishing of the Agentic AI Foundation. https://www.anthropic.com/news/donating-the-model- context-protocol-and-establishing-of-the-agentic-ai-foundation. Official announcement
2025
-
[6]
Yifeng Cai, Ziming Wang, Zhaomeng Deng, Mengyu Yao, Junlin Liu, Yu- tao Hu, Ziqi Zhang, Yao Guo, and Ding Li. 2025. Who Grants the Agent Power? Defending Against Instruction Injection via Task-Centric Access Control. arXiv:2510.26212 [cs.CR]
arXiv 2025
-
[7]
Olga Churakova, Mathias Ekstedt, and Valentina Lenarduzzi. 2025. VEXed: Does VEX Itself Need Security Fixes? arXiv:2503.14388 [cs.CR] https://arxiv.org/abs/ 2503.14388
arXiv 2025
-
[8]
Cisco AI Defense. 2025. mcp-scanner: MCP Security Scanner. https://github.c om/cisco-ai-defense/mcp-scanner. GitHub repository
2025
-
[9]
Nicola Croce and Tobin South. 2025. Trivial Trojans: How Minimal MCP Servers Enable Cross-Tool Exfiltration of Sensitive Data. arXiv:2507.19880 [cs.CR] https: //arxiv.org/abs/2507.19880
Pith/arXiv arXiv 2025
-
[10]
Edoardo Debenedetti, Jie Zhang, Mislav Balunović, Luca Beurer-Kellner, Marc Fis- cher, and Florian Tramèr. 2024. AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents. arXiv:2406.13352 [cs.CR] https://arxiv.org/abs/2406.13352
Pith/arXiv arXiv 2024
-
[11]
Kazem Faghih, Wenxiao Wang, Yize Cheng, Siddhant Bharti, Gaurang Srira- manan, Sriram Balasubramanian, Parsa Hosseini, and Soheil Feizi. 2025. Tool Pref- erences in Agentic LLMs are Unreliable. InProceedings of the 2025 Conference on Empirical Methods in Natural Language Processing, Christos Christodoulopoulos, Tanmoy Chakraborty, Carolyn Rose, and Violet...
-
[12]
FastAPI. 2025. FastAPI. https://fastapi.tiangolo.com/. Official website
2025
-
[13]
Mohamed Amine Ferrag, Norbert Tihanyi, Djallel Hamouda, Leandros Maglaras, Abderrahmane Lakas, and Merouane Debbah. 2026. From prompt injections to protocol exploits: Threats in LLM-powered AI agents workflows.ICT Express12, 2 (2026), 353–383. doi:10.1016/j.icte.2025.12.001
-
[14]
Muhan Gao, TaiMing Lu, Kuai Yu, Adam Byerly, and Daniel Khashabi. 2024. Insights into LLM Long-Context Failures: When Transformers Know but Don’t Tell. InFindings of the Association for Computational Linguistics: EMNLP 2024, Yaser Al-Onaizan, Mohit Bansal, and Yun-Nung Chen (Eds.). Association for Computational Linguistics, Miami, Florida, USA, 7611–7625....
doi:10.18653/v1/20 2024
-
[15]
GitHub. 2026. GitHub REST API Documentation. https://docs.github.com/en/rest. Accessed: 2026-02-06
2026
-
[16]
Hechuan Guo, Yongle Hao, Yue Zhang, Minghui Xu, Peizhuo Lv, Jiezhi Chen, and Xiuzhen Cheng. 2025. A Measurement Study of Model Context Protocol Ecosystem. arXiv:2509.25292 [cs.CY]
arXiv 2025
-
[17]
Yongjian Guo, Puzhuo Liu, Wanlun Ma, Zehang Deng, Xiaogang Zhu, Peng Di, Xi Xiao, and Sheng Wen. 2025. Systematic Analysis of MCP Security. arXiv:2508.12538 [cs.CR] https://arxiv.org/abs/2508.12538
Pith/arXiv arXiv 2025
-
[18]
Mohammed Mehedi Hasan, Hao Li, Emad Fallahzadeh, Gopi Krishnan Rajba- hadur, Bram Adams, and Ahmed E. Hassan. 2026. Model Context Protocol (MCP) at First Glance: Studying the Security and Maintainability of MCP Servers. arXiv:2506.13538 [cs.SE] https://arxiv.org/abs/2506.13538
Pith/arXiv arXiv 2026
-
[19]
Xinyi Hou, Yanjie Zhao, Shenao Wang, and Haoyu Wang. 2025. Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions. arXiv:2503.23278 [cs.CR] https://arxiv.org/abs/2503.23278
Pith/arXiv arXiv 2025
-
[20]
Huihao Jing, Haoran Li, Wenbin Hu, Qi Hu, Xu Heli, Tianshu Chu, Peizhao Hu, and Yangqiu Song. 2025. MCIP: Protecting MCP Safety via Model Contextual Integrity Protocol. InProceedings of the 2025 Conference on Empirical Methods in Natural Language Processing, Christos Christodoulopoulos, Tanmoy Chakraborty, Carolyn Rose, and Violet Peng (Eds.). Association...
-
[21]
khesayed. 2025. ecommerce-store-mcp: A Model Context Protocol Server for E-commerce. https://github.com/khesayed/ecommerce-store-mcp
2025
-
[22]
kocierik. 2025. mcp-nomad: A Model Context Protocol Server for HashiCorp Nomad. https://github.com/kocierik/mcp-nomad
2025
-
[23]
Pratyay Kumar, Miguel Antonio Guirao Aguilera, Srikathyayani Srikanteswara, Satyajayant Misra, and Abu Saleh Md Tayeen. 2026. MCP-in-SoS: Risk assessment framework for open-source MCP servers. arXiv:2603.10194 [cs.CR] https: //arxiv.org/abs/2603.10194
arXiv 2026
-
[24]
Lasso Security. 2025. MCP Gateway. https://github.com/lasso-security/mcp- gateway
2025
-
[25]
Xiaofan Li and Xing Gao. 2026. A First Look at the Security Issues in the Model Context Protocol Ecosystem. arXiv:2510.16558 [cs.CR] https://arxiv.org/abs/25 10.16558
Pith/arXiv arXiv 2026
-
[26]
Liu, Kevin Lin, John Hewitt, Ashwin Paranjape, Michele Bevilacqua, Fabio Petroni, and Percy Liang
Nelson F. Liu, Kevin Lin, John Hewitt, Ashwin Paranjape, Michele Bevilacqua, Fabio Petroni, and Percy Liang. 2024. Lost in the Middle: How Language Models Use Long Contexts.Transactions of the Association for Computational Linguistics 12 (2024), 157–173. doi:10.1162/tacl_a_00638
-
[27]
MCP Market. 2025. MCP Market. https://mcpmarket.com/. Accessed: 2025-12
2025
-
[28]
MCP Repository. 2025. MCP Repository. https://mcprepository.com/. Accessed: 2025-12
2025
-
[29]
MCP Store. 2025. MCP Store. https://mcpstore.co. Accessed: 2025-12
2025
-
[30]
MCP World. 2025. MCP World. https://www.mcpworld.com/. Accessed: 2025-12
2025
-
[31]
Mcp.so. 2025. Mcp.so. https://mcp.so. Accessed: 2025-12
2025
-
[32]
Kanghua Mo, Li Hu, Yucheng Long, and Zhihao li. 2026. Attractive Metadata Attack: Inducing LLM Agents to Invoke Malicious Tools. The Thirty-ninth Annual Conference on Neural Information Processing Systems. https://openre view.net/forum?id=oLGtPYdRzU
2026
-
[33]
Model Context Protocol Community. 2025. Model Context Protocol Registry. https://registry.modelcontextprotocol.io/. Official MCP server registry
2025
-
[34]
National Institute of Standards and Technology. 2025. CVE-2025-53818 Detail. https://nvd.nist.gov/vuln/detail/CVE-2025-53818. National Vulnerability Database
2025
-
[35]
National Institute of Standards and Technology. 2025. CVE-2025-66580 Detail. https://nvd.nist.gov/vuln/detail/CVE-2025-66580. National Vulnerability Database
2025
-
[36]
National Institute of Standards and Technology. 2025. CVE-2025-68669 Detail. https://nvd.nist.gov/vuln/detail/CVE-2025-68669. National Vulnerability Database
2025
-
[37]
National Institute of Standards and Technology. 2026. CVE-2026-22793 Detail. https://nvd.nist.gov/vuln/detail/CVE-2026-22793. National Vulnerability Database
2026
-
[38]
National Institute of Standards and Technology. 2026. CVE-2026-25546 Detail. https://nvd.nist.gov/vuln/detail/CVE-2026-25546. National Vulnerability Database
2026
-
[39]
National Institute of Standards and Technology. 2026. CVE-2026-25650 Detail. https://nvd.nist.gov/vuln/detail/CVE-2026-25650. National Vulnerability Database
2026
-
[40]
National Institute of Standards and Technology. 2026. CVE-2026-27825 Detail. https://nvd.nist.gov/vuln/detail/CVE-2026-27825. National Vulnerability Database
2026
-
[41]
National Institute of Standards and Technology. 2026. CVE-2026-33946 Detail. https://nvd.nist.gov/vuln/detail/CVE-2026-33946. National Vulnerability Database
2026
-
[42]
National Institute of Standards and Technology. 2026. CVE-2026-33980 Detail. https://nvd.nist.gov/vuln/detail/CVE-2026-33980. National Vulnerability Database
2026
-
[43]
National Institute of Standards and Technology. 2026. CVE-2026-39884 Detail. https://nvd.nist.gov/vuln/detail/CVE-2026-39884. National Vulnerability Database
2026
-
[44]
David Noever. 2025. Servant, Stalker, Predator: How An Honest, Helpful, And Harmless (3H) Agent Unlocks Adversarial Skills. arXiv:2508.19500 [cs.CR] https: //arxiv.org/abs/2508.19500
Pith/arXiv arXiv 2025
-
[45]
Nova Hunting. 2026. nova-proximity: MCP and Claude Skill Security Scanner. https://github.com/Nova-Hunting/nova-proximity
2026
-
[46]
npm, Inc. 2026. npm Registry. https://www.npmjs.com/. Accessed: 2026-02-03
2026
-
[47]
Pulse MCP. 2025. Pulse MCP. https://www.pulsemcp.com/servers. Accessed: 2025-12
2025
-
[48]
Python Software Foundation. 2026. Python Package Index (PyPI). https://pypi.o rg/. Accessed: 2026-02-03
2026
-
[49]
Brandon Radosevich and John Halloran. 2025. MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits. https://www.arxiv.org/ abs/2504.03767. arXiv:2504.03767 [cs.CR] MCPSafetyScanner
Pith/arXiv arXiv 2025
-
[50]
Partha Pratim Ray. 2025. A survey on model context protocol: Architecture, state-of-the-art, challenges and future directions. Authorea Preprints
2025
-
[51]
Yi Ting Shen, Kentaroh Toyoda, and Alex Leung. 2026. MCPThreatH- ive: Automated Threat Intelligence for Model Context Protocol Ecosystems. arXiv:2604.13849 [cs.CR] https://arxiv.org/abs/2604.13849
Pith/arXiv arXiv 2026
-
[52]
Haoran Shi, Hongwei Yao, Shuo Shao, Shaopeng Jiao, Ziqi Peng, Zhan Qin, and Cong Wang. 2025. Quantifying Conversation Drift in MCP via Latent Polytope. arXiv:2508.06418 [cs.CL] https://arxiv.org/abs/2508.06418
Pith/arXiv arXiv 2025
-
[53]
Smithery. 2025. Smithery. https://smithery.ai. Accessed: 2025-12
2025
-
[54]
Snyk. 2025. Agent-Scan: A Static Analysis Tool for Detecting Security Issues in MCP Servers. https://github.com/snyk/agent-scan. Accessed: 2025-12
2025
-
[55]
Hao Song, Yiming Shen, Wenxuan Luo, Leixin Guo, Ting Chen, Jiashui Wang, Beibei Li, Xiaosong Zhang, and Jiachi Chen. 2025. Beyond the Protocol: Unveiling Attack Vectors in the Model Context Protocol (MCP) Ecosystem. arXiv:2506.02040 [cs.CR] https://arxiv.org/abs/2506.02040
Pith/arXiv arXiv 2025
-
[56]
Merlin Stein. 2026. How are AI agents used? Evidence from 177,000 MCP tools. arXiv:2603.23802 [cs.CY] https://arxiv.org/abs/2603.23802
arXiv 2026
-
[57]
supercorp-ai. 2025. Supergateway. https://github.com/supercorp-ai/supergate way. GitHub repository
2025
-
[58]
Tencent Zhuque Lab. 2025. AI-Infra-Guard: A Comprehensive, Intelligent, and Easy-to-Use AI Red Teaming Platform. GitHub repository. https://github.com /Tencent/AI-Infra-Guard 14 Rethinking MCP Security: A Large-Scale Study of Runtime MCP Servers and Security Scanner Reliability
2025
-
[59]
Aditi Tiwari, Akshit Bhalla, and Darshan Prasad. 2025. Model Con- text Protocol for Vision Systems: Audit, Security, and Protocol Extensions. arXiv:2509.22814 [cs.CR] https://arxiv.org/abs/2509.22814
arXiv 2025
-
[60]
w 10-m. 2025. gsuite: An MCP Server for Google Workspace Integration. https: //github.com/w-10-m/gsuite
2025
-
[61]
Zhiqiang Wang, Yichao Gao, Yanting Wang, Suyuan Liu, Haifeng Sun, Hao- ran Cheng, Guanquan Shi, Haohua Du, and Xiangyang Li. 2025. MCP- Tox: A Benchmark for Tool Poisoning Attack on Real-World MCP Servers. arXiv:2508.14925 [cs.CR] https://arxiv.org/abs/2508.14925
Pith/arXiv arXiv 2025
-
[62]
Zihan Wang, Rui Zhang, Yu Liu, Wenshu Fan, Wenbo Jiang, Qingchuan Zhao, Hongwei Li, and Guowen Xu. 2026. Mpma: Preference manipulation attack against model context protocol.Proceedings of the AAAI Conference on Artificial Intelligence40, 42 (2026), 35838–35846
2026
-
[63]
Mengying Wu, Pei Chen, Geng Hong, Baichao An, Jinsong Chen, Binwang Wan, Xudong Pan, Jiarun Dai, and Min Yang. 2025. MCPZoo: A Large-Scale Dataset of Runnable Model Context Protocol Servers for AI Agent. arXiv:2512.15144 [cs.CR] https://arxiv.org/abs/2512.15144
arXiv 2025
-
[64]
Yixuan Yang, Daoyuan Wu, and Yufan Chen. 2025. MCPSecBench: A System- atic Security Benchmark and Playground for Testing Model Context Protocols. arXiv:2508.13220 [cs.CR] https://arxiv.org/abs/2508.13220
arXiv 2025
-
[65]
Zhonghao Zhan, Huichi Zhou, Zhenhao Li, Peiyuan Jing, Krinos Li, and Hamed Haddadi. 2026. How Adversarial Environments Mislead Agentic AI? arXiv:2604.18874 [cs.AI] https://arxiv.org/abs/2604.18874
Pith/arXiv arXiv 2026
-
[66]
Dongsen Zhang, Zekun Li, Xu Luo, Xuannan Liu, Peipei Li, and Wenjun Xu
-
[67]
arXiv:2510.15994 [cs.CR] https://arxiv.org/abs/2510.1 5994
MCP Security Bench (MSB): Benchmarking Attacks Against Model Context Protocol in LLM Agents. arXiv:2510.15994 [cs.CR] https://arxiv.org/abs/2510.1 5994
-
[68]
MD5": The exact MD5 string provided in the in- put. •
Shuli Zhao, Qinsheng Hou, Zihan Zhan, Yanhao Wang, Yuchong Xie, Yu Guo, Libo Chen, Shenghong Li, and Zhi Xue. 2026. Parasites in the Toolchain: A Large- Scale Analysis of Attacks on the MCP Ecosystem. arXiv:2509.06572 [cs.CR] https://arxiv.org/abs/2509.06572 A Ethical Considerations We structure our ethical considerations by linking a stakeholder- based a...
Pith/arXiv arXiv 2026
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.