Systematic Analysis of MCP Security

--The Model Context Protocol (MCP) has emerged as a universal standard that enables AI agents to seamlessly connect with external tools, significantly enhancing their functionality. However, while MCP brings notable benefits, it also introduces significant vulnerabilities, such as T ool Poisoning Attacks (TPA), where hidden malicious instructions exploit the sycophancy of large language models (LLMs) to manipulate agent behavior . Despite these risks, current academic research on MCP security remains limited, with most studies focusing on narrow or qualitative analyses that fail to capture the diversity of real-world threats. Our experiments reveal key insights into MCP vulnerabilities, including agents' blind reliance on tool descriptions, sensitivity to file-based attacks, chain attacks exploiting shared context, and difficulty distinguishing external data from executable commands. These insights, validated through attack experiments, underscore the urgency for robust defense strategies and informed MCP design. This work provides a foundational framework, supporting the secure evolution of MCP ecosystems. In the era of large language models (LLMs), AI agents are significantly enhancing their application [1], [2] and importance across various domains by incorporating tool invocation to interact with external systems [3]. To facilitate cross-platform development for agents, Anthropic introduced the Model Context Protocol (MCP), to standardize context exchange between models and applications [4]. As illustrated in Figure 1, MCP follows a client-server architecture composed of Host, Client, and Server. The Host 1, an AI application that utilizes data and tools, sends requests to single or multiple Servers via the Client 2 . The Server possesses three core capabilities: Tools 3 (enabling external operations), Resources 4 (exposing data to AI models), and Prompts 5 (reusable templates for workflow optimization).