MCPLIB: MCP Attack Library
- MCPLIB is a comprehensive framework that catalogs and benchmarks over 30 distinct attack methods targeting the Model Context Protocol.
- It defines a clear taxonomy including direct, indirect, LLM inherent, supply chain, and parasitic toolchain attacks for MCP-based systems.
- The framework features a modular Python architecture with formal metrics and evaluation methodologies to guide effective defensive strategies.
The MCP Attack Library (MCPLIB) is a unified, extensible framework that catalogs, implements, and systematizes attacks targeting the Model Context Protocol (MCP)—the standard for LLM-based agentic tool integration. It provides formal taxonomies, attack modules, quantitative evaluation harnesses, and analytic workflows for assessing the security posture of MCP-based AI agents, tools, servers, and cross-ecosystem deployments (Guo et al., 18 Aug 2025, Zhao et al., 8 Sep 2025, Errico et al., 25 Nov 2025, Zhang et al., 14 Oct 2025, Yang et al., 10 Mar 2026, Zhou et al., 15 Feb 2026).
1. Taxonomy of Attack Classes and Methods
MCPLIB introduces a comprehensive, empirically validated taxonomy of attacks, systematically categorizing over 30 distinct methods across four or more fundamental threat classes (Guo et al., 18 Aug 2025):
- Direct Tool Injection Attacks: Adversaries directly embed payloads in tool code, docstrings, or metadata. This includes single-tool and multi-tool vectors:
- File-based addition (
__doc__manipulatingmcp.jsonor.bashrc) - File deletion/modification/retrieval, RCE, listener attachment
- Rug-pull via post-deployment updates
- Multi-tool cooperation, shadowing, preference manipulation
- File-based addition (
- Indirect Tool Injection Attacks: Malicious content delivered via dependencies, data sources, or return flows rather than direct tool modification.
- Webpage/data poisoning, package README-driven RCE
- Malicious tool return output injection (e.g., "call admin_tool" error chains)
- Malicious User Attacks: Privileged users damage the ecosystem from within, leveraging registration, privilege escalation, data injection (e.g., CSV exploits), installer spoofing, or sandbox escape.
- LLM Inherent Attacks: Classical LLM weaknesses (jailbreaks, prompt leakage, hallucination, goal hijack) become more severe when tool invocation is permitted. Examples include embedding DAN-style jailbreaks in tool docs or using hallucinated tools for data exfiltration.
- Cross-System and Supply Chain Attacks: Compromised dependencies, server registry confusion, version rug-pulls, and privilege escalation via over-permissioning are cataloged as independent categories (Errico et al., 25 Nov 2025).
- Parasitic Toolchain and Context Poisoning Attacks: Parasitic ingestion of prompts from external data sources, culminating in privacy collection and network exfiltration, as well as toolchain-wide propagation of adversarial instructions (Zhao et al., 8 Sep 2025).
The following table organizes these as implemented/defined in MCPLIB:
| Major Class | Subclasses/Examples | Key MCPLIB Instantiations |
|---|---|---|
| Direct tool injection | File add/del/mod, RCE, docshadow, rug-pull, forced execution | Methods 1–15 (Guo et al., 18 Aug 2025) |
| Indirect tool injection | Webpage poison, output injection, project install RCE | Methods 16–18 (Guo et al., 18 Aug 2025), MCP-UPD (Zhao et al., 8 Sep 2025) |
| Malicious user | Tool registration, data uploads, privilege escalation, token theft | Methods 19–25 |
| LLM inherent | Jailbreak, prompt leak, hallucination, goal hijack, SQL/API exfil | Methods 26–31 |
| Supply chain / ecosystem | Registry confusion, rugpull, arbitrary code exec, over-permissioning | (Errico et al., 25 Nov 2025) |
| Parasitic toolchain attacks | Stepwise privacy exfiltration, file writes, remote command exec | MCP-UPD, MCP-AFW, MCP-RCE (Zhao et al., 8 Sep 2025) |
2. MCPLIB Framework Architecture and Implementation
MCPLIB is a modular, Python-based plugin system with support for dynamic attack enumeration, benchmarking, and exploit automation. Its core architecture is composed of four primary modules (Guo et al., 18 Aug 2025, Zhang et al., 14 Oct 2025, Yang et al., 10 Mar 2026):
- Plugin Loader: Discovers and loads attack plugins, each implementing standardized APIs (name, description, activate).
- Attacker Resource Layer: Hosts supporting gadgets for indirect injections (malicious web/data/SQL/Git targets).
- Prompt Template Engine: Syncretizes prompt-level, data-level, and tool-level payloads for user/LLM-exploitable vectors.
- Orchestrator: Manages attack lifecycles, tool registrations, agent simulation, and log collection for evaluative runs.
Advanced static analysis and compliance-checking capabilities are provided by MCPLIB’s IR/AST-driven pipelines (Yang et al., 10 Mar 2026). Language-agnostic clause-compliance is established by normalizing SDKs across ten languages and applying both static and LLM-guided reasoning to detect missing guardrails, which are then correlated to three formal exploit modalities: joint payload/timing control, payload-only, and timing-only control.
3. Formal Metrics and Evaluation Methodologies
MCPLIB operationalizes several formal efficacy and robustness metrics for attack and defense benchmarking:
- Attack Efficacy (): A weighted sum of success rate (), security risk level (), persistence (), and implementation difficulty (), with entropy-based normalization:
where are entropy-derived weights; is observed over 10 runs; is the Narajala 7-point security risk; (1–2, immediate or persistent); 0 (1=easiest to 3=complex) (Guo et al., 18 Aug 2025).
- Net Resilient Performance (NRP): Quantifies the security–utility trade-off for LLM agents. Given the Attack Success Rate (ASR) and Performance Under Attack (PUA):
1
High NRP indicates robust task completion with low vulnerability; low NRP signals effective adversarial disruption (Zhang et al., 14 Oct 2025).
Experimental harnesses systematically instantiate agents (e.g., Meta Claude, Anthropic Claude-2, OpenAI function-calling wrappers), register both benign and malicious tools via a local server, and run attack scenarios with fine-grained sensitivity analyses (user confirmation, tool schema, LLM temperature) (Guo et al., 18 Aug 2025, Zhang et al., 14 Oct 2025).
4. Empirical Findings From Systematic MCPLIB Experiments
Large-scale evaluation demonstrates that:
- File-based tool injection, preference-manipulation, and malicious tool coverage obtain nearly 100% attack success with high severity (E≈8.4).
- Indirect tool output and data-return attacks (e.g., parasitic toolchain, context contamination) regularly achieve ASR >80–90% due to agents’ default trust in tool outputs.
- **Multi-tool cooperation and infectious template attacks display lower immediate S (30–70%) but high security risk (2) and persistent system compromise.
- Supply chain attacks (rug-pull, registry confusion) and dynamically delayed-onset attacks (behavioral drift) bypass one-time defenses and exploit configuration/governance failures (Errico et al., 25 Nov 2025, Zhou et al., 15 Feb 2026).
- Empirically identified core vulnerabilities include:
- Unvetted file-system and process effects (no consent for add/modify/retrieve).
- Blind reliance on tool descriptions for selection and invocation.
- Context-sharing leading to chain/infectious attacks across sessions and tool generations.
- Lack of accurate data/instruction separation.
5. Root-Cause Analyses and Modalities of Exploitation
MCPLIB incorporates fine-grained root-cause analyses employing formal definitions of context–tool isolation and privilege enforcement (or the lack thereof):
- Absence of Context–Tool Isolation: MCP tool outputs are ingested alongside trusted context without sanitization, making adversarial prompts indistinguishable from legitimate instructions (Zhao et al., 8 Sep 2025).
- Omission of Least-Privilege: All tools operate under uniform trust, with no scope restriction or explicit consent for sensitive actions.
- Exploit Modality Classification (Editor’s term): For each missing clause, MCPLIB classifies whether its absence enables joint payload/timing control, payload-only, or timing-only attacks, using binary guardrail indicators 3 (Yang et al., 10 Mar 2026).
- Ecosystem Prevalence: MCP-SEC census reveals 46.4% of MCP tools expose threat capabilities (external ingestion, privacy access, network egress), and 78.5% of servers host at least one such tool (Zhao et al., 8 Sep 2025).
6. Defensive Strategies and Design Recommendations
Empirical results and formal analyses yield a layered set of best-practice mitigations:
- Principle of Least Privilege: All file/network/process operations require explicit user confirmation and path whitelisting. Fine-grained capability labeling and per-tool sandbox or chroot isolation are recommended (Guo et al., 18 Aug 2025, Zhao et al., 8 Sep 2025).
- Metadata Vetting and Schema Validation: Automatic scanning of tool metadata (doc, description, return schema) to remove shell commands, suspicious instructions, or untrusted parameter fields.
- Context Segmentation and Zero-Trust Chaining: Partition shared agent context per session or tool, requiring explicit re-authorization to carry forward any variables or snippets.
- Data/Instruction Channel Separation: Tag all tool returns as data, enforce pattern-based rejection of latent command markers.
- Runtime Monitoring and Auditing: Centralized logging of all tool calls, with ReAct-style secondary agent auditing, detection of anomalous call chains (e.g., EIT→PAT→NAT), and automated pausing for suspicious workflows (Zhang et al., 14 Oct 2025, Errico et al., 25 Nov 2025).
- Governance and Supply Chain Hardening: Pin dependencies, restrict tool/server registry to vetted/private sources, and block local server execution where sandboxing is not possible (Errico et al., 25 Nov 2025).
- Periodic Robustness Audits with MCPLIB: Routine red-teaming of agents with MCPLIB’s attack suite; regression checks on NRP and ASR metrics after each code or agent model update (Zhang et al., 14 Oct 2025, Yang et al., 10 Mar 2026).
7. Role and Impact in the MCP Ecosystem
MCPLIB has become the reference toolkit for MCP-specific adversarial testing and CI integration, used for conformance testing, SDK static analysis, and agent evaluation (Yang et al., 10 Mar 2026). It is fully compatible with multi-language SDK audits, and its attack modules are extensible for custom zero-day analysis. Its deployment has led to >20 high-priority vulnerability disclosures and has directly shaped security guidelines and governance recommendations in MCP protocol development workflows (Yang et al., 10 Mar 2026, Guo et al., 18 Aug 2025).
This foundational position is reinforced by its dual role as both a dynamic attack-benchmarking harness and a static compliance/conformance analyzer, providing the only open-source end-to-end solution for systematic MCP security assessment to date.
References:
- (Guo et al., 18 Aug 2025): Systematic Analysis of MCP Security
- (Zhao et al., 8 Sep 2025): Mind Your Server: A Systematic Study of Parasitic Toolchain Attacks on the MCP Ecosystem
- (Errico et al., 25 Nov 2025): Securing the Model Context Protocol (MCP): Risks, Controls, and Governance
- (Zhang et al., 14 Oct 2025): MCP Security Bench (MSB): Benchmarking Attacks Against Model Context Protocol in LLM Agents
- (Yang et al., 10 Mar 2026): Compatibility at a Cost: Systematic Discovery and Exploitation of MCP Clause-Compliance Vulnerabilities
- (Zhou et al., 15 Feb 2026): MCPShield: A Security Cognition Layer for Adaptive Trust Calibration in Model Context Protocol Agents