attack 2025

IntentMiner: Intent Inversion Attack via Tool Call Analysis in the Model Context Protocol

Yunhao Yao 1, Zhiqiang Wang 1, Haoran Cheng 1, Yihang Cheng 1, Haohua Du 2, Xiang-Yang Li 1

1 University of Science and Technology of China

2 Beijing University of Aeronautics and Astronautics

0 citations · 23 references · arXiv
α

Published on arXiv

2512.14166

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Sensitive Information Disclosure

OWASP LLM Top 10 — LLM06

Key Finding

IntentMiner reconstructs private user intent from MCP tool call metadata with over 85% semantic alignment to original queries, substantially surpassing LLM baseline approaches

IntentMiner

Novel technique introduced

The evolution of Large Language Models (LLMs) into Agentic AI has established the Model Context Protocol (MCP) as the standard for connecting reasoning engines with external tools. Although this decoupled architecture fosters modularity, it simultaneously shatters the traditional trust boundary. We uncover a novel privacy vector inherent to this paradigm: the Intent Inversion Attack. We show that semi-honest third-party MCP servers can accurately reconstruct users' underlying intents by leveraging only authorized metadata (e.g., function signatures, arguments, and receipts), effectively bypassing the need for raw query access. To quantify this threat, we introduce IntentMiner. Unlike statistical approaches, IntentMiner employs a hierarchical semantic parsing strategy that performs step-level intent reconstruction by analyzing tool functions, parameter entities, and result feedback in an orthogonal manner. Experiments on the ToolACE benchmark reveal that IntentMiner achieves a semantic alignment of over 85% with original queries, substantially surpassing LLM baselines. This work exposes a critical endogenous vulnerability: without semantic obfuscation, executing functions requires the transparency of intent, thereby challenging the privacy foundations of next-generation AI agents.

Key Contributions

  • Identifies and formalizes the Intent Inversion Attack — a novel privacy threat where semi-honest MCP servers reconstruct private user intent from authorized tool call metadata (function signatures, arguments, receipts) without raw query access
  • Proposes IntentMiner, a hierarchical semantic parsing framework performing step-level intent reconstruction via orthogonal analysis of tool functions, parameter entities, and result feedback
  • Demonstrates >85% semantic alignment with original user queries on the ToolACE benchmark, substantially outperforming LLM baselines, exposing a fundamental endogenous privacy vulnerability in decoupled agentic architectures

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
black_boxinference_time
Datasets
ToolACE
Applications
llm agent systemsmcp-based ai agentsagentic ai workflows
Read PDF arXiv DOI

Similar Papers

defense

SplitAgent: A Privacy-Preserving Distributed Architecture for Enterprise-Cloud Agent Collaboration

2026 0 cit.
85%
attack

Red-Teaming Coding Agents from a Tool-Invocation Perspective: An Empirical Security Assessment

2025 0 cit.
80%
attack

Network-Level Prompt and Trait Leakage in Local Research Agents

2025 0 cit.
75%
attack

NetEcho: From Real-World Streaming Side-Channels to Full LLM Conversation Recovery

2025 0 cit.
75%
attack

Mind Your Server: A Systematic Study of Parasitic Toolchain Attacks on the MCP Ecosystem

2025 0 cit.
75%
attack

Whisper Leak: a side-channel attack on Large Language Models

2025 0 cit.
75%
attack

Exposing LLM User Privacy via Traffic Fingerprint Analysis: A Study of Privacy Risks in LLM Agent Interactions

2025 2 cit.
75%
attack

Extracting Recurring Vulnerabilities from Black-Box LLM-Generated Software

2026 0 cit.
75%