Systematization of Knowledge: Security and Safety in the Model Context Protocol Ecosystem

The Model Context Protocol (MCP) has emerged as the de facto standard for connecting Large Language Models (LLMs) to external data and tools, effectively functioning as the "USB-C for Agentic AI." While this decoupling of context and execution solves critical interoperability challenges, it introduces a profound new threat landscape where the boundary between epistemic errors (hallucinations) and security breaches (unauthorized actions) dissolves. This Systematization of Knowledge (SoK) aims to provide a comprehensive taxonomy of risks in the MCP ecosystem, distinguishing between adversarial security threats (e.g., indirect prompt injection, tool poisoning) and epistemic safety hazards (e.g., alignment failures in distributed tool delegation). We analyze the structural vulnerabilities of MCP primitives, specifically Resources, Prompts, and Tools, and demonstrate how "context" can be weaponized to trigger unauthorized operations in multi-agent environments. Furthermore, we survey state-of-the-art defenses, ranging from cryptographic provenance (ETDI) to runtime intent verification, and conclude with a roadmap for securing the transition from conversational chatbots to autonomous agentic operating systems.

Key Contributions

• First academic SoK systematizing MCP ecosystem risks with a unified taxonomy distinguishing adversarial security threats (tool poisoning, indirect prompt injection) from epistemic safety hazards (alignment failures in tool delegation)
• Structural analysis of vulnerabilities in MCP primitives (Resources, Prompts, Tools), including the novel Cross-Primitive Escalation class where read-only context access triggers write-action execution
• Survey of emerging defenses from cryptographic provenance (ETDI) to runtime intent verification, plus forensic case studies of real-world MCP incidents including the Supabase data leak

🛡️ Threat Analysis

Details

Similar Papers