Model Control Protocol (MCP) Overview

• MCP is an open, standardized framework that defines clear interfaces between LLMs and external tools for streamlined AI workflow composition.
• It enables agentic workflows through a unified API and SDK support, reducing development overhead in heterogeneous AI systems.
• MCP poses significant security challenges, including risks such as malicious code execution and credential theft, requiring proactive mitigation strategies.

The Model Context Protocol (MCP) is an open, standardized framework designed to enable seamless interoperability between LLMs, external data sources, and agentic tools in generative AI applications. By formalizing the schema for message exchanges and tool/resource abstraction, MCP has become widely adopted for constructing complex, LLM-driven workflows with reduced development overhead. However, this very generality and standardization introduces potent security challenges, particularly when LLMs are empowered to orchestrate arbitrary tool invocations or agentic behavior using MCP-integrated systems (Radosevich et al., 2 Apr 2025).

1. Protocol Definition and Architecture

MCP abstracts the interface between LLM-enabled clients and servers hosting tools, resources, and prompts. It defines clear client-to-server (CTS) and server-to-client (STC) messaging schemas, typically structured as:

• Request: MCP_Request = { "feature": F, "parameters": P }
• Response: MCP_Response = { "data": D, "status": S }

Features can include access to file systems, environment variables, remote APIs, and agentic tool execution. Servers act as bundles for groups of tools and resources, exposing them through a unified API—streamlining the integration process in heterogeneous AI system architectures. SDKs are available for a variety of platforms, facilitating rapid deployment and orchestration of multi-component generative AI workflows (Radosevich et al., 2 Apr 2025).

2. Security Vulnerabilities and Attack Vectors

Although MCP's open protocol significantly lowers integration barriers, empirical research demonstrates that agentic workflows built atop MCP are subject to severe security risks (Radosevich et al., 2 Apr 2025). The main classes of vulnerabilities identified include:

• Malicious Code Execution (MCE): By crafting adversarial prompts with seemingly innocuous surface language, attackers can coerce LLMs into issuing system-level commands via MCP tools (e.g., injecting a nc -lvp 4444 -e /bin/bash shell into .bashrc).
• Remote Access Control (RAC): Attackers may use MCP invoke sequences to add unauthorized SSH keys or alter access control, establishing persistent, illicit remote access.
• Credential Theft (CT): LLMs prompted via MCP to interact with tools accessing environment variables (e.g., API keys) may inadvertently leak sensitive credentials.
• Retrieval-Agent DEception (RADE): By poisoning documents ingested into downstream retrieval systems (e.g., vector databases), attackers can embed latent MCP tool calls. Subsequent retrieval triggers may cause LLMs to execute malicious actions without any explicit user prompt.

These classes signal a fundamental risk in compositional, agentic AI workflows—namely, the ease with which emergent tool combinations and retrieval-based side channels can bypass traditional guardrails.

3. MCPSafetyScanner: Workflow and Implementation

To quantitatively audit and mitigate these vulnerabilities, the MCPSafetyScanner tool was introduced as the first agentic security scanner for MCP servers (Radosevich et al., 2 Apr 2025). Its operation proceeds through three principal agent-driven stages:

1. Automated Vulnerability Detection: The primary agent ("hacker") queries the MCP server's discovery endpoints, enumerates registered tools, resources, and prompts, and methodically simulates adversarial tool calls based on known exploit patterns.
2. Vulnerability Expansion and Remediation Search: For each identified (<tool, resource, vulnerability>) tuple, a secondary "auditor" agent references public advisories (e.g., security forums, arXiv, online exploits repositories) to identify remediations and cross-correlate with previous attack signatures.
3. Security Report Generation: A supervisor agent aggregates findings in a comprehensive report, highlighting unauthorized file modifications, credential leaks, environment variable exposures, directory traversal attempts, and SSH key insertions. Reports include automated "git-style" diffs and recommended command-level remediations (e.g., use of file integrity tools, stricter permission settings).

The modular multi-agent design enables the tool to provide rapid, repeatable scanning and reporting for arbitrary MCP configurations, ensuring pre-deployment vulnerabilities are surfaced and can be managed during CI/CD or system audits.

4. Implications, Broader Context, and Mitigation Strategies

The broad applicability of MCP for agentic workflow composition creates an inherent tension between openness and security. Standardizing tool access and prompt/resource exposure without strong access controls enables sophisticated, easily obfuscated attacks—quickly overwhelming LLMs' native guardrails. Notably, internal safety alignment in current LLMs (e.g., Claude, Llama-3.3-70B-Instruct) is not robust against indirect, context-aware, or retrieval-mediated prompt manipulation, as demonstrated in empirical defense circumvention scenarios (Radosevich et al., 2 Apr 2025).

Recommendations for mitigating these risks emphasize:

• Reinforced LLM Guardrails: LLM alignment must evolve beyond simple keyword or intent filtering to encompass more robust, semantics-aware refusal strategies, particularly for indirect or contextually ambiguous tool calls.
• Proactive Security Audits: The integration of MCPSafetyScanner or similar tools into continuous integration and deployment pipelines is strongly advised, to enable early detection of misconfigurations and zero-day vulnerabilities in the evolving tool spectrum.
• Strong Access Controls and Monitoring: Enforce strict file and directory permissions on all tool-accessible endpoints; monitor all file modifications using integrity checkers; and aggressively audit all environment-accessing tool calls.
• Community Collaboration: Security innovations, patches, and best practices must be rapidly disseminated and adopted within the broader MCP developer community to reduce collective exposure and respond quickly to new emergent exploits.

5. Conclusion and Future Research Directions

The formalization and commoditization of agentic AI workflows by MCP offers powerful integration capabilities, but also amplifies the system-wide attack surface in novel ways. Leading LLMs have been empirically shown to be susceptible to MCE, RAC, CT, and RADE attacks, frequently bypassing present-day alignment measures (Radosevich et al., 2 Apr 2025).

Future work is expected along several axes:

• Continuous Security Scanning: Regular, automated audits of all deployed MCP servers to rapidly identify and neutralize newly surfacing exploits.
• Integration with Standard Cybersecurity Protocols: Systematic incorporation of MCP-specific checks into established enterprise security stacks (identity management, integrity monitoring, SIEM solutions).
• LLM Resilience Research: Development of more effective, interpretability-driven and semantics-sensitive guardrails at the LLM layer to limit tool misuse via prompt manipulation, including in the presence of retrieval-augmented attacks.
• Community-driven Safety Infrastructure: Broader participation in collaborative security initiatives and maintenance of open-watchlists and patch dissemination frameworks tailored for MCP-enabled ecosystems.

The paper demonstrates both the risks and the immediate opportunities for improving the safety and resilience of agentic AI systems employing MCP, balancing ease of composition with a hardening operational security posture.