Securing AI Agent Execution

Large Language Models (LLMs) have evolved into AI agents that interact with external tools and environments to perform complex tasks. The Model Context Protocol (MCP) has become the de facto standard for connecting agents with such resources, but security has lagged behind: thousands of MCP servers execute with unrestricted access to host systems, creating a broad attack surface. In this paper, we introduce AgentBound, the first access control framework for MCP servers. AgentBound combines a declarative policy mechanism, inspired by the Android permission model, with a policy enforcement engine that contains malicious behavior without requiring MCP server modifications. We build a dataset containing the 296 most popular MCP servers, and show that access control policies can be generated automatically from source code with 80.9% accuracy. We also show that AgentBound blocks the majority of security threats in several malicious MCP servers, and that policy enforcement engine introduces negligible overhead. Our contributions provide developers and project managers with a practical foundation for securing MCP servers while maintaining productivity, enabling researchers and tool builders to explore new directions for declarative access control and MCP security.

Key Contributions

• AgentBound: first access control framework for MCP servers, combining a declarative Android-inspired permission model with a sandboxed policy enforcement engine requiring no MCP server modifications
• Dataset of 296 popular MCP servers with automatic policy generation from source code achieving 80.9% accuracy using LLM-based analysis
• Empirical evaluation showing AgentBound blocks the majority of threats from malicious MCP servers with negligible runtime overhead

🛡️ Threat Analysis

Details

Similar Papers