Formal verification of MCP workflows

Establish formal verification models and methods for Model Context Protocol (MCP)-based workflows that combine natural-language prompts, JSON-RPC tool discovery and execution, and host policy checks, proving properties such as non-execution of unauthorized commands and resistance to confused-deputy scenarios in agentic AI systems.

Background

MCP blends natural language reasoning with executable tool calls, making it difficult to specify and verify correct behavior using traditional software verification approaches. The paper highlights that a significant fraction of MCP server implementations can execute unsafe shell calls, underscoring the need for rigorous guarantees that agents will not misinterpret malicious inputs as instructions.

The authors argue that formal verification must capture both the symbolic protocol of tool invocation and the semantic constraints on prompt processing, potentially through protocol modeling, static analysis of MCP servers, and policy verification envelopes around LLM outputs. Despite preliminary ideas, a comprehensive verification framework for MCP remains unestablished.