arxiv: 2602.11327 · v2 · submitted 2026-02-11 · 💻 cs.CR · cs.AI

Recognition: no theorem link

Security Threat Modeling for Emerging AI-Agent Protocols: A Comparative Analysis of MCP, A2A, Agora, and ANP

Zeynab Anbiaee , Mahdi Rabbani , Mansur Mirani , Gunjan Piya , Igor Opushnyev , Ali Ghorbani , Sajjad Dadkhah

Authors on Pith no claims yet

Pith reviewed 2026-05-16 05:02 UTC · model grok-4.3

classification 💻 cs.CR cs.AI

keywords AI agent protocolsthreat modelingsecurity risk assessmentMCPA2Atool execution validationmulti-agent systemsattestation

0 comments

The pith

Four AI agent protocols share twelve design-linked risks that a new assessment framework scores across creation, operation, and update phases, with MCP measurements showing wrong-provider tool executions when validation is absent.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper builds a structured threat model for MCP, A2A, Agora, and ANP by examining their architectures, trust assumptions, interaction patterns, and lifecycle behaviors. It then applies a qualitative risk framework to rate twelve protocol-level risks by likelihood and impact, producing overall posture scores for each phase. A measurement case study on MCP quantifies how often executable components run from the wrong provider under multi-server composition and different resolver policies. A sympathetic reader would care because these protocols are entering production use for scalable agent systems, and the identified risks directly affect whether cross-organizational tool calls and agent interactions stay reliable. The work supplies concrete guidance on which protocol choices reduce exposure during deployment and standardization.

Core claim

The central claim is that the four protocols exhibit overlapping risk surfaces arising from their trust models and interaction patterns; these surfaces are captured by twelve risks whose likelihood, impact, and phase-specific scores can be evaluated systematically, and that MCP specifically allows measurable wrong-provider tool execution when mandatory validation or attestation of executable components is omitted under representative multi-server resolver policies.

What carries the argument

The qualitative risk assessment framework that defines twelve protocol-level risks and computes likelihood, impact, and overall risk scores for the creation, operation, and update phases of each protocol.

If this is right

Protocol designers must add mandatory validation or attestation steps for executable components to reduce wrong-provider tool execution in MCP deployments.
Security posture scores from the framework can be used to prioritize fixes in the operation phase over creation or update phases for all four protocols.
Standardization bodies should require the threat-modeling steps described here when evaluating new agent communication protocols.
Cross-protocol interoperability decisions should weigh the shared risk surfaces identified in the comparative analysis rather than treating each protocol in isolation.
Deployers can map the twelve risks to their own resolver policies to decide which protocol offers the lowest overall risk for a given use case.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The measurement approach used for MCP could be applied directly to A2A, Agora, and ANP to produce comparable empirical numbers instead of relying only on qualitative scores.
If the framework is adopted, agent platforms would likely need new runtime checks that enforce the validation steps the paper identifies as missing.
The risk surfaces around trust assumptions may connect to broader questions of agent identity and delegation that appear in multi-agent coordination beyond pure communication protocols.
Organizations could test whether adding attestation layers changes the observed wrong-provider rates in live MCP deployments and feed those results back into updated risk scores.

Load-bearing premise

The twelve risks comprehensively cover the main threat surfaces and the qualitative likelihood and impact scores accurately represent real deployment conditions without further empirical validation for every protocol.

What would settle it

An experiment that runs MCP in a multi-server setup, counts the actual rate of wrong-provider tool executions under the paper's representative resolver policies both with and without mandatory component validation, and checks whether the observed rates match the paper's quantified claims.

Figures

Figures reproduced from arXiv: 2602.11327 by Ali Ghorbani, Gunjan Piya, Igor Opushnyev, Mahdi Rabbani, Mansur Mirani, Sajjad Dadkhah, Zeynab Anbiaee.

**Figure 1.** Figure 1: Evolution of AI toward agentic systems, the shift from passive to proactive interaction, and the resulting protocol security gap motivating this work. [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗

**Figure 2.** Figure 2: Architecture and workflow of MCP, A2A, Agora and ANP [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗

**Figure 3.** Figure 3: Security threat taxonomy for AI agent communication protocols. [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗

**Figure 4.** Figure 4: NIST SP 800-30 lifecycle-based risk assessment workflow for AI-agent communication protocols.. [PITH_FULL_IMAGE:figures/full_fig_p009_4.png] view at source ↗

**Figure 5.** Figure 5: Experimental Architecture for MCP Tool Identity Ambiguity Evalua [PITH_FULL_IMAGE:figures/full_fig_p016_5.png] view at source ↗

read the original abstract

The rapid development of the AI agent communication protocols, including the Model Context Protocol (MCP), Agent2Agent (A2A), Agora, and Agent Network Protocol (ANP), is reshaping how AI agents communicate with tools, services, and each other. While these protocols support scalable multi-agent interaction and cross-organizational interoperability, their security principles remain understudied, and standardized threat modeling is limited; no protocol-centric risk assessment framework has been established yet. This paper presents a systematic security analysis of four emerging AI agent communication protocols. First, we develop a structured threat modeling analysis that examines protocol architectures, trust assumptions, interaction patterns, and lifecycle behaviors to identify protocol-specific and cross-protocol risk surfaces. Second, we introduce a qualitative risk assessment framework that identifies twelve protocol-level risks and evaluates security posture across the creation, operation, and update phases through systematic assessment of likelihood, impact, and overall protocol risk, with implications for secure deployment and future standardization. Third, we provide a measurement-driven case study on MCP that formalizes the risk of missing mandatory validation/attestation for executable components as a falsifiable security claim by quantifying wrong-provider tool execution under multi-server composition across representative resolver policies. Collectively, our results highlight key design-induced risk surfaces and provide actionable guidance for secure deployment and future standardization of agent communication ecosystems.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This paper gives the first comparative threat model for MCP, A2A, Agora, and ANP plus a quantified MCP case study, but the case study numbers rest on resolver policy details that are not spelled out clearly enough.

read the letter

Hi colleague, the main thing to know is that this paper delivers the first side-by-side security review of these four new agent protocols and includes a measurement-driven case study on MCP that tries to turn one risk into a falsifiable claim. It does a clean job mapping the architectures, trust assumptions, interaction patterns, and lifecycle phases for each protocol. The twelve risks are grouped sensibly into creation, operation, and update stages, and the qualitative likelihood-impact scoring produces straightforward guidance on where deployments are exposed. That structure is practical and directly useful for anyone thinking about secure multi-agent setups or future standardization. The softer spot sits in the MCP case study. It quantifies wrong-provider tool execution under multi-server composition across representative resolver policies, which is the load-bearing part of the falsifiability argument. Yet the exact resolution logic, composition rules, and what counts as a wrong provider are not described in enough detail to let a reader reproduce or test the rates under different realistic conditions. Without those specifics the measured numbers stay hard to verify independently. This work is aimed at people in AI security and multi-agent system engineering. Readers who need a starting catalog of protocol-level risks and cross-protocol comparisons will find it helpful. It deserves a serious referee because the topic is timely, the approach is systematic, and the central claims are concrete enough to benefit from external scrutiny, especially on tightening the case study methodology.

Referee Report

2 major / 2 minor

Summary. The paper claims to deliver a systematic security analysis of four emerging AI-agent communication protocols (MCP, A2A, Agora, ANP) by (1) applying structured threat modeling to protocol architectures, trust assumptions, interaction patterns, and lifecycles, (2) introducing a qualitative risk-assessment framework that identifies twelve protocol-level risks and scores them by likelihood and impact across creation, operation, and update phases, and (3) presenting a measurement-driven MCP case study that quantifies wrong-provider tool execution under multi-server composition to formalize the risk of missing mandatory validation/attestation as a falsifiable security claim.

Significance. If the central claims hold, the work is significant because it supplies the first protocol-centric threat-modeling framework for AI-agent communication ecosystems and supplies one concrete, quantified example that could serve as a template for future empirical security evaluations. The emphasis on design-induced risk surfaces and actionable standardization guidance is timely given the rapid adoption of these protocols.

major comments (2)

[MCP case study] MCP case-study section: the quantification of wrong-provider tool execution is presented as a falsifiable claim, yet the manuscript does not specify the exact resolver-policy logic, composition rules, or threat-model parameters (e.g., what constitutes a 'wrong-provider' trigger or how multi-server resolution is modeled). Without these details the reported rates cannot be reproduced or independently falsified, undermining the load-bearing security claim.
[Threat modeling and risk framework] Risk-identification section: the derivation of the twelve risks is described as systematic, but the paper provides no explicit mapping from the examined architectural features to each risk, nor any justification that the set is exhaustive. This leaves the completeness of the framework open to question and weakens the cross-protocol comparisons.

minor comments (2)

[Abstract] Abstract: the twelve risks are referenced but never enumerated or briefly characterized, making it difficult for readers to grasp the scope of the contribution at first reading.
[Risk assessment framework] Notation: the paper uses 'overall protocol risk' without defining the aggregation rule (e.g., max, weighted sum) applied to likelihood and impact scores.

Simulated Author's Rebuttal

2 responses · 0 unresolved

Thank you for the constructive comments. We respond to each major comment below and will revise the manuscript accordingly to improve clarity and reproducibility.

read point-by-point responses

Referee: [MCP case study] MCP case-study section: the quantification of wrong-provider tool execution is presented as a falsifiable claim, yet the manuscript does not specify the exact resolver-policy logic, composition rules, or threat-model parameters (e.g., what constitutes a 'wrong-provider' trigger or how multi-server resolution is modeled). Without these details the reported rates cannot be reproduced or independently falsified, undermining the load-bearing security claim.

Authors: We thank the referee for pointing this out. Upon review, we agree that additional details are needed for full reproducibility of the MCP case study. In the revised manuscript, we will expand the case study section to include explicit descriptions of the resolver-policy logic, composition rules, threat-model parameters, definitions of 'wrong-provider' triggers, and the modeling approach for multi-server resolution. This will include specific examples and potentially pseudocode to allow independent verification and falsification of the reported rates. revision: yes
Referee: [Threat modeling and risk framework] Risk-identification section: the derivation of the twelve risks is described as systematic, but the paper provides no explicit mapping from the examined architectural features to each risk, nor any justification that the set is exhaustive. This leaves the completeness of the framework open to question and weakens the cross-protocol comparisons.

Authors: We acknowledge the value of an explicit mapping. We will revise the risk-identification section to include a detailed mapping table that links each of the twelve risks to the specific architectural features, trust assumptions, interaction patterns, and lifecycle behaviors examined during the threat modeling. Additionally, we will provide a justification for the set's coverage, explaining how it derives from the protocol analyses and noting its extensibility for future protocols. This should strengthen the cross-protocol comparisons and address concerns about completeness. revision: yes

Circularity Check

0 steps flagged

No circularity detected; threat modeling and case study are direct architectural analysis

full rationale

The paper develops its threat model and twelve-risk framework through direct examination of protocol architectures, trust assumptions, interaction patterns, and lifecycle behaviors. The MCP case study quantifies wrong-provider tool execution via measurement under representative resolver policies without any equations, fitted parameters, or reductions to self-defined inputs. No self-citations are invoked as load-bearing premises for uniqueness theorems or ansatzes. The derivation chain remains self-contained and does not reduce any claim to its own outputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Based solely on the abstract, the work relies on standard security threat-modeling practices and qualitative expert judgment for risk scoring; no explicit free parameters, new axioms, or invented entities are described.

pith-pipeline@v0.9.0 · 5571 in / 1173 out tokens · 62810 ms · 2026-05-16T05:02:30.016700+00:00 · methodology

discussion (0)

Forward citations

Cited by 7 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

Attacks and Mitigations for Distributed Governance of Agentic AI under Byzantine Adversaries
cs.CR 2026-05 unverdicted novelty 7.0

Identifies concrete attacks from a malicious Provider on SAGA and proposes SAGA-BFT, SAGA-MON, SAGA-AUD, and SAGA-HYB mitigations offering different security-performance trade-offs.
MCP-DPT: A Defense-Placement Taxonomy and Coverage Analysis for Model Context Protocol Security
cs.CR 2026-04 conditional novelty 7.0

MCP-DPT creates a defense-placement taxonomy that organizes MCP threats and defenses across six architectural layers, revealing mostly tool-centric protections and gaps at orchestration, transport, and supply-chain layers.
MAGIQ: A Post-Quantum Multi-Agentic AI Governance System with Provable Security
cs.LG 2026-05 unverdicted novelty 6.0

MAGIQ introduces a post-quantum secure system for policy definition, enforcement, and accountability in multi-agent AI using novel cryptographic protocols and UC framework proofs.
Security Considerations for Multi-agent Systems
cs.CR 2026-03 unverdicted novelty 6.0

No existing AI security framework covers a majority of the 193 identified multi-agent system threats in any category, with OWASP Agentic Security Initiative achieving the highest overall coverage at 65.3%.
When Agents Handle Secrets: A Survey of Confidential Computing for Agentic AI
cs.CR 2026-05 unverdicted novelty 5.0

A survey providing a taxonomy of TEE platforms, an agent-centric threat model, and open challenges for applying confidential computing to secure agentic AI systems.
SoK: Security of Autonomous LLM Agents in Agentic Commerce
cs.CR 2026-04 unverdicted novelty 5.0

The paper systematizes security for LLM agents in agentic commerce into five threat dimensions, identifies 12 cross-layer attack vectors, and proposes a layered defense architecture.
When Agents Handle Secrets: A Survey of Confidential Computing for Agentic AI
cs.CR 2026-05 unverdicted novelty 4.0

A structured survey of confidential computing for agentic AI that catalogs TEE platforms, agent-specific threats, transferable defenses, and remaining gaps in end-to-end frameworks.

Reference graph

Works this paper leans on

74 extracted references · 74 canonical work pages · cited by 6 Pith papers · 7 internal anchors

[1]

Xiong, Z

H. Xiong, Z. Wang, X. Li, J. Bian, Z. Xie, S. Mumtaz, A. Al-Dulaimi, L. E. Barnes, Converging paradigms: The synergy of symbolic and connectionist ai in llm-empowered autonomous agents, arXiv preprint arXiv:2407.08516 (2024)

work page arXiv 2024
[2]

De Gasperis, S

G. De Gasperis, S. D. Facchini, A comparative study of rule-based and data-driven approaches in industrial monitoring, arXiv preprint arXiv:2509.15848 (2025)

work page arXiv 2025
[3]

Naveed, A

H. Naveed, A. U. Khan, S. Qiu, M. Saqib, S. Anwar, M. Usman, N. Akhtar, N. Barnes, A. Mian, A comprehensive overview of large language models, ACM Transactions on Intelligent Systems and Technology 16 (5) (2025) 1–72

work page 2025
[4]

Haenlein, A

M. Haenlein, A. Kaplan, A brief history of artificial intelligence: On the past, present, and future of artificial intelligence, California management review 61 (4) (2019) 5–14

work page 2019
[5]

J. Luo, W. Zhang, Y . Yuan, Y . Zhao, J. Yang, Y . Gu, B. Wu, B. Chen, Z. Qiao, Q. Long, et al., Large language model agent: A survey on method- ology, applications and challenges, arXiv preprint arXiv:2503.21460 (2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025
[6]

J. S. Park, J. O’Brien, C. J. Cai, M. R. Morris, P. Liang, M. S. Bernstein, Generative agents: Interactive simulacra of human behavior, in: Proceed- ings of the 36th annual acm symposium on user interface software and technology, 2023, pp. 1–22

work page 2023
[7]

H. Kim, X. Yi, J. Yao, J. Lian, M. Huang, S. Duan, J. Bak, X. Xie, The road to artificial superintelligence: A comprehensive survey of superalignment, arXiv preprint arXiv:2412.16468 (2024)

work page arXiv 2024
[8]

Ehtesham, A

A. Ehtesham, A. Singh, G. K. Gupta, S. Kumar, A survey of agent interop- erability protocols: Model context protocol (mcp), agent communication protocol (acp), agent-to-agent protocol (a2a), and agent network protocol (anp), arXiv preprint arXiv:2505.02279 (2025)

work page arXiv 2025
[9]

Belcak, G

P. Belcak, G. Heinrich, S. Diao, Y . Fu, X. Dong, S. Muralidharan, Y . C. Lin, P. Molchanov, Small language models are the future of agentic ai, arXiv preprint arXiv:2506.02153 (2025)

work page arXiv 2025
[10]

B. C. Das, M. H. Amini, Y . Wu, Security and privacy challenges of large language models: A survey, ACM Computing Surveys 57 (6) (2025) 1–39

work page 2025
[11]

M. Q. Li, B. C. Fung, Security concerns for large language models: A sur- vey, Journal of Information Security and Applications 95 (2025) 104284

work page 2025
[12]

Louck, A

Y . Louck, A. Stulman, A. Dvir, Security analysis of agentic ai communica- tion protocols: A comparative evaluation, arXiv preprint arXiv:2511.03841 (2025). 17

work page arXiv 2025
[13]

Y . Yang, H. Chai, Y . Song, S. Qi, M. Wen, N. Li, J. Liao, H. Hu, J. Lin, G. Chang, et al., A survey of ai agent protocols, arXiv preprint arXiv:2504.16736 (2025)

work page arXiv 2025
[14]

X. Hou, J. Han, Y . Zhao, H. Wang, Unveiling the landscape of llm deploy- ment in the wild: An empirical study, arXiv preprint arXiv:2505.02502 (2025)

work page arXiv 2025
[15]

Y . Yao, J. Duan, K. Xu, Y . Cai, Z. Sun, Y . Zhang, A survey on large language model (llm) security and privacy: The good, the bad, and the ugly, High-Confidence Computing 4 (2) (2024) 100211

work page 2024
[16]

S. Zeng, J. Zhang, P. He, Y . Liu, Y . Xing, H. Xu, J. Ren, Y . Chang, S. Wang, D. Yin, et al., The good and the bad: Exploring privacy issues in retrieval-augmented generation (rag), in: Findings of the Association for Computational Linguistics: ACL 2024, 2024, pp. 4505–4524

work page 2024
[17]

Hughes, Y

L. Hughes, Y . K. Dwivedi, T. Malik, M. Shawosh, M. A. Albashrawi, I. Jeon, V . Dutot, M. Appanderanda, T. Crick, R. De’, et al., Ai agents and agentic systems: A multi-expert analysis, Journal of Computer Information Systems (2025) 1–29

work page 2025
[18]

K.-T. Tran, D. Dao, M.-D. Nguyen, Q.-V . Pham, B. O’Sullivan, H. D. Nguyen, Multi-agent collaboration mechanisms: A survey of llms, arXiv preprint arXiv:2501.06322 (2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025
[19]

Bizety, The push for standard protocols in the age of ai agents, https: //bizety.com/2025/09/30/the-push-for-standard-protoco ls-in-the-age-of-ai-agents/, accessed: 2026-01-21 (Sep. 2025)

work page 2025
[20]

Radosevich, J

B. Radosevich, J. Halloran, Mcp safety audit: Llms with the model context protocol allow major security exploits, arXiv preprint arXiv:2504.03767 (2025)

work page arXiv 2025
[21]

X. Hou, Y . Zhao, S. Wang, H. Wang, Model context protocol (mcp): Landscape, security threats, and future research directions, arXiv preprint arXiv:2503.23278 (2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025
[22]

V . S. Narajala, I. Habler, Enterprise-grade security for the model context protocol (mcp): Frameworks and mitigation strategies, arXiv preprint arXiv:2504.08623 (2025)

work page arXiv 2025
[23]

N. Yang, G. Lyu, M. Ma, Y . Lu, Y . Li, Z. Gao, H. Ye, J. Zhang, T. Chen, Y . Chen, Iot-mcp: Bridging llms and iot systems through model context protocol, in: Proceedings of the ACM Workshop on Wireless Network Testbeds, Experimental evaluation & Characterization, 2025, pp. 73–80

work page 2025
[24]

S. Li, X. Wei, J. Yuan, X. Wang, K. Miao, Secure model context protocol for large language models with dual signatures, in: Proceedings of the 20th Workshop on Mobility in the Evolving Internet Architecture, 2025, pp. 1–6

work page 2025
[25]

Q. Duan, Z. Lu, Agent communications toward agentic ai at edge-a case study of the agent2agent protocol, arXiv preprint arXiv:2508.15819 (2025)

work page arXiv 2025
[26]

Habler, K

I. Habler, K. Huang, V . S. Narajala, P. Kulkarni, Building a secure agentic ai application leveraging a2a protocol, arXiv preprint arXiv:2504.16902 (2025)

work page arXiv 2025
[27]

Louck, A

Y . Louck, A. Stulman, A. Dvir, Proposal for improving google a2a pro- tocol: Safeguarding sensitive data in multi-agent systems, arXiv preprint arXiv:2505.12490 (2025)

work page arXiv 2025
[28]

P. He, Y . Xing, S. Dong, J. Li, Z. Dai, X. Tang, H. Liu, H. Xu, Z. Xiang, C. C. Aggarwal, Comprehensive vulnerability analysis is necessary for trustworthy llm-mas, arXiv preprint arXiv:2506.01245 (2025)

work page arXiv 2025
[29]

X. Duan, Z. Huang, S. Liang, S. Zheng, L. Lu, T. Sun, Ai-agent com- munication network for 6g: vision, architecture, and key technologies, Frontiers of Information Technology & Electronic Engineering 26 (11) (2025) 2065–2080

work page 2025
[30]

D. Kong, S. Lin, Z. Xu, Z. Wang, M. Li, Y . Li, Y . Zhang, H. Peng, X. Chen, Z. Sha, et al., A survey of llm-driven ai agent communication: Protocols, security risks, and defense countermeasures, arXiv preprint arXiv:2506.19676 (2025)

work page arXiv 2025
[31]

Zhang, X

X. Zhang, X. Dong, Y . Wang, D. Zhang, F. Cao, A survey of multi-ai agent collaboration: Theories, technologies and applications, in: Proceedings of the 2nd Guangdong-Hong Kong-Macao Greater Bay Area International Conference on Digital Economy and Artificial Intelligence, 2025, pp. 1875–1881

work page 2025
[32]

Y . Wang, Y . Pan, S. Guo, Z. Su, Security of internet of agents: Attacks and countermeasures, IEEE Open Journal of the Computer Society (2025)

work page 2025
[33]

Y . Wang, S. Guo, Y . Pan, Z. Su, F. Chen, T. H. Luan, P. Li, J. Kang, D. Niyato, Internet of agents: Fundamentals, applications, and challenges, arXiv preprint arXiv:2505.07176 (2025)

work page arXiv 2025
[34]

Q. Duan, J. Zhou, W. Zhang, Agent communications in edge computing toward agentic ai-driven internet of things

work page
[35]

B. Yan, Z. Zhou, L. Zhang, L. Zhang, Z. Zhou, D. Miao, Z. Li, C. Li, X. Zhang, Beyond self-talk: A communication-centric survey of llm-based multi-agent systems, arXiv preprint arXiv:2502.14321 (2025)

work page arXiv 2025
[36]

Sharma, M

R. Sharma, M. de V os, P. Chari, R. Raskar, A.-M. Kermarrec, Collabo- rative agentic ai needs interoperability across ecosystems, arXiv preprint arXiv:2505.21550 (2025)

work page arXiv 2025
[37]

Marro, E

S. Marro, E. La Malfa, J. Wright, G. Li, N. Shadbolt, M. Wooldridge, P. Torr, A scalable communication protocol for networks of large language models, arXiv preprint arXiv:2410.11905 (2024)

work page arXiv 2024
[38]

Chang, E

G. Chang, E. Lin, C. Yuan, R. Cai, B. Chen, X. Xie, Y . Zhang, Agent network protocol technical white paper, arXiv preprint arXiv:2508.00007 (2025)

work page arXiv 2025
[39]

Gupta, Ai agents collaboration under resource constraints: Practical implementations, INTERNATIONAL JOURNAL OF ARTIFICIAL IN- TELLIGENCE RESEARCH AND DEVELOPMENT 3 (1) (2025) 51–63

S. Gupta, Ai agents collaboration under resource constraints: Practical implementations, INTERNATIONAL JOURNAL OF ARTIFICIAL IN- TELLIGENCE RESEARCH AND DEVELOPMENT 3 (1) (2025) 51–63

work page 2025
[40]

Anthropic, Introducing the Model Context Protocol, https://www.anth ropic.com/news/model-context-protocol , accessed: 2025-08-07 (Nov. 2024)

work page 2025
[41]

Surapaneni, M

R. Surapaneni, M. Jha, M. Vakoc, T. Segal, Announcing the agent2agent protocol (a2a), https://developers.googleblog.com/en/a2a-a -new-era-of-agent-interoperability/ , accessed: Aug. 11, 2025 (Apr. 2025)

work page 2025
[42]

Hardt, The oauth 2.0 authorization framework, Tech

D. Hardt, The oauth 2.0 authorization framework, Tech. rep. (2012)

work page 2012
[43]

Jones, J

M. Jones, J. Bradley, N. Sakimura, Json web token (jwt), Tech. rep. (2015)

work page 2015
[44]

11, 2025 (2025)

a2aproject, A2a: An open protocol enabling communication and interoper- ability between opaque agentic applications, https://github.com/a 2aproject/A2A, accessed: Aug. 11, 2025 (2025)

work page 2025
[45]

14, 2025 (2025)

GaoWei Chang and the Agent Network Protocol Project, Agent network protocol: The http of the agentic web era, https://www.agent-netwo rk-protocol.com/, accessed: Aug. 14, 2025 (2025)

work page 2025
[46]

15, 2025 (2025)

agent-network-protocol, Agentnetworkprotocol- an open-source protocol for agent communication enabling decentralized, secure collaboration, https://github.com/agent-network-protocol/AgentNetwork Protocol, accessed: Aug. 15, 2025 (2025)

work page 2025
[47]

Biswas, Agentic ai mcp tools governance, https://medium.com/d ata-science-collective/agentic-ai-mcp-tools-governanc e-14c933386abe, accessed: Sep

D. Biswas, Agentic ai mcp tools governance, https://medium.com/d ata-science-collective/agentic-ai-mcp-tools-governanc e-14c933386abe, accessed: Sep. 20, 2025 (Jul. 2025)

work page 2025
[48]

Posta, Deep dive mcp and a2a attack vectors for ai agents, https: //www.solo.io/blog/deep-dive-mcp-and-a2a-attack-vecto rs-for-ai-agents, accessed: Sep

C. Posta, Deep dive mcp and a2a attack vectors for ai agents, https: //www.solo.io/blog/deep-dive-mcp-and-a2a-attack-vecto rs-for-ai-agents, accessed: Sep. 20, 2025 (May 2025)

work page 2025
[49]

J. A. Wibowo, G. C. Polyzos, Toward a safe internet of agents, arXiv preprint arXiv:2512.00520 (2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025
[50]

Bhatt, V

M. Bhatt, V . S. Narajala, I. Habler, Etdi: Mitigating tool squatting and rug pull attacks in model context protocol (mcp) by using oauth-enhanced tool definitions and policy-based access control, in: 2025 Cyber Awareness and Research Symposium (CARS), IEEE, 2025, pp. 1–6

work page 2025
[51]

S. Zhao, Q. Hou, Z. Zhan, Y . Wang, Y . Xie, Y . Guo, L. Chen, S. Li, Z. Xue, Mind your server: A systematic study of parasitic toolchain attacks on the mcp ecosystem, arXiv preprint arXiv:2509.06572 (2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025
[52]

Errico, J

H. Errico, J. Ngiam, S. Sojan, Securing the model context protocol (mcp): Risks, controls, and governance, arXiv preprint arXiv:2511.20920 (2025)

work page arXiv 2025
[53]

Gaire, S

S. Gaire, S. Gyawali, S. Mishra, S. Niroula, D. Thakur, U. Yadav, System- atization of knowledge: Security and safety in the model context protocol ecosystem, arXiv preprint arXiv:2512.08290 (2025)

work page arXiv 2025
[54]

M. M. Hasan, H. Li, E. Fallahzadeh, G. K. Rajbahadur, B. Adams, A. E. Hassan, Model context protocol (mcp) at first glance: Studying the secu- rity and maintainability of mcp servers, arXiv preprint arXiv:2506.13538 (2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025
[55]

P. He, C. Li, B. Zhao, T. Du, S. Ji, Automatic red teaming llm-based agents with model context protocol tools, arXiv preprint arXiv:2509.21011 (2025)

work page arXiv 2025
[56]

X. Li, X. Gao, Toward understanding security issues in the model context protocol ecosystem, arXiv preprint arXiv:2510.16558 (2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025
[57]

B. Wang, Z. Liu, H. Yu, A. Yang, Y . Huang, J. Guo, H. Cheng, H. Li, H. Wu, Mcpguard: Automatically detecting vulnerabilities in mcp servers, arXiv preprint arXiv:2510.23673 (2025)

work page arXiv 2025
[58]

Y . T. Shen, K. Toyoda, A. Leung, Mcp-38: A comprehensive threat taxonomy for model context protocol systems (v1. 0), arXiv preprint arXiv:2603.18063 (2026)

work page arXiv 2026
[59]

Zhang, Z

D. Zhang, Z. Li, X. Luo, X. Liu, P. Li, W. Xu, Mcp security bench (msb): 18 Benchmarking attacks against model context protocol in llm agents, arXiv preprint arXiv:2510.15994 (2025)

work page arXiv 2025
[60]

Jamshidi, K

S. Jamshidi, K. W. Nafi, A. M. Dakhel, N. Shahabi, F. Khomh, N. Ezzati- Jivan, Securing the model context protocol: Defending llms against tool poisoning and adversarial attacks, arXiv preprint arXiv:2512.06556 (2025)

work page arXiv 2025
[61]

X. Zong, Z. Shen, L. Wang, Y . Lan, C. Yang, Mcp-safetybench: A bench- mark for safety evaluation of large language models with real-world mcp servers, arXiv preprint arXiv:2512.15163 (2025)

work page arXiv 2025
[62]

H. Song, Y . Shen, W. Luo, L. Guo, T. Chen, J. Wang, B. Li, X. Zhang, J. Chen, Beyond the protocol: Unveiling attack vectors in the model context protocol (mcp) ecosystem, arXiv preprint arXiv:2506.02040 (2025)

work page arXiv 2025
[63]

Huang, Z

Y . Huang, Z. Zhao, B. Chen, S. Wu, Z. Zhou, Y . Cao, X. Hu, X. Peng, From component manipulation to system compromise: Understanding and detecting malicious mcp servers, arXiv preprint arXiv:2604.01905 (2026)

work page arXiv 2026
[64]

Stappen, A

L. Stappen, A. E. Turan, J. Hagerer, G. Groh, Agent2agent threats in safety-critical llm assistants: A human-centric taxonomy, arXiv preprint arXiv:2602.05877 (2026)

work page arXiv 2026
[65]

Z. Wang, Y . Gao, Y . Wang, S. Liu, H. Sun, H. Cheng, G. Shi, H. Du, X. Li, Mcptox: A benchmark for tool poisoning on real-world mcp servers, in: Proceedings of the AAAI Conference on Artificial Intelligence, V ol. 40, 2026, pp. 35811–35819

work page 2026
[66]

S. Guo, Y . Wang, Z. Su, Y . Pan, Q. Hu, T. H. Luan, Agent discovery in internet of agents: Challenges and solutions, IEEE Network (2026)

work page 2026
[67]

Huang, X

C. Huang, X. Huang, N. P. Tran, A. M. Fard, Model context protocol threat modeling and analyzing vulnerabilities to prompt injection with tool poisoning, arXiv preprint arXiv:2603.22489 (2026)

work page arXiv 2026
[68]

R. S. Ross, Guide for conducting risk assessments (2012)

work page 2012
[69]

Baseri, V

Y . Baseri, V . Chouhan, A. Ghorbani, A. Chow, Evaluation framework for quantum security risk assessment: A comprehensive strategy for quantum- safe transition, Computers & Security 150 (2025) 104272

work page 2025
[70]

20, 2025 (2022)

International Organization for Standardization, International Electrotechni- cal Commission, Iso/iec 27005:2022 - information security, cybersecurity and privacy protection - information security risk management, accessed: Sep. 20, 2025 (2022). URLhttps://www.iso.org/standard/80585.html

work page 2022
[71]

X. Fu, S. Li, Z. Wang, Y . Liu, R. K. Gupta, T. Berg-Kirkpatrick, E. Fer- nandes, Imprompter: Tricking llm agents into improper tool use, arXiv preprint arXiv:2410.14923 (2024)

work page arXiv 2024
[72]

W. Zou, R. Geng, B. Wang, J. Jia, {PoisonedRAG}: Knowledge corruption attacks to {Retrieval-Augmented} generation of large language models, in: 34th USENIX Security Symposium (USENIX Security 25), 2025, pp. 3827–3844

work page 2025
[73]

G. Deng, Y . Liu, K. Wang, Y . Li, T. Zhang, Y . Liu, Pandora: Jail- break gpts by retrieval augmented generation poisoning, arXiv preprint arXiv:2402.08416 (2024)

work page arXiv 2024
[74]

S. Chen, J. Piet, C. Sitawarin, D. Wagner, {StruQ}: Defending against prompt injection with structured queries, in: 34th USENIX Security Sym- posium (USENIX Security 25), 2025, pp. 2383–2400. 19

work page 2025