attack 2025

Servant, Stalker, Predator: How An Honest, Helpful, And Harmless (3H) Agent Unlocks Adversarial Skills

David Noever

PeopleTec

0 citations
α

Published on arXiv

2508.19500

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Excessive Agency

OWASP LLM Top 10 — LLM08

Key Finding

95 agents with multi-service MCP access can chain legitimate, authorized operations into sophisticated attack sequences that exfiltrate data, manipulate finances, and compromise infrastructure, exploiting the failure of service-isolation security assumptions.

MCP compositional attack chain

Novel technique introduced

This paper identifies and analyzes a novel vulnerability class in Model Context Protocol (MCP) based agent systems. The attack chain describes and demonstrates how benign, individually authorized tasks can be orchestrated to produce harmful emergent behaviors. Through systematic analysis using the MITRE ATLAS framework, we demonstrate how 95 agents tested with access to multiple services-including browser automation, financial analysis, location tracking, and code deployment-can chain legitimate operations into sophisticated attack sequences that extend beyond the security boundaries of any individual service. These red team exercises survey whether current MCP architectures lack cross-domain security measures necessary to detect or prevent a large category of compositional attacks. We present empirical evidence of specific attack chains that achieve targeted harm through service orchestration, including data exfiltration, financial manipulation, and infrastructure compromise. These findings reveal that the fundamental security assumption of service isolation fails when agents can coordinate actions across multiple domains, creating an exponential attack surface that grows with each additional capability. This research provides a barebones experimental framework that evaluate not whether agents can complete MCP benchmark tasks, but what happens when they complete them too well and optimize across multiple services in ways that violate human expectations and safety constraints. We propose three concrete experimental directions using the existing MCP benchmark suite.

Key Contributions

  • Identifies a novel vulnerability class in MCP-based agent systems where individually benign authorized actions can be orchestrated into harmful compositional attack chains spanning multiple service domains
  • Provides empirical red-team evidence from 95 agents demonstrating specific attack sequences achieving data exfiltration, financial manipulation, and infrastructure compromise
  • Proposes an experimental framework using existing MCP benchmarks to evaluate cross-domain compositional risk rather than mere task completion

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_timetargeted
Datasets
MCP benchmark suite
Applications
llm agent systemsbrowser automationfinancial analysis agentscode deployment agents
Read PDF arXiv

Similar Papers

attack

Takedown: How It's Done in Modern Coding Agent Exploits

2025 3 cit.
92%
attack

Web Fraud Attacks Against LLM-Driven Multi-Agent Systems

2025 0 cit.
86%
attack

ACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-Restore

2026 0 cit.
85%
benchmark

SafeToolBench: Pioneering a Prospective Benchmark to Evaluating Tool Utilization Safety in LLMs

2025 0 cit.
85%
defense

Autonomous Action Runtime Management(AARM):A System Specification for Securing AI-Driven Actions at Runtime

2026 0 cit.
77%
defense

Agentic JWT: A Secure Delegation Protocol for Autonomous AI Agents

2025 0 cit.
77%
defense

Tracking Capabilities for Safer Agents

2026 0 cit.
77%
defense

TraceAegis: Securing LLM-Based Agents via Hierarchical and Behavioral Anomaly Detection

2025 2 cit.
77%