defense 2026

SMCP: Secure Model Context Protocol

Xinyi Hou , Shenao Wang , Yifan Zhang , Ziluo Xue , Yanjie Zhao , Cai fu , Haoyu Wang

Huazhong University of Science and Technology

0 citations · 31 references · arXiv (Cornell University)
α

Published on arXiv

2602.01129

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

SMCP addresses the full surface of MCP security risks through protocol-level identity, authentication, policy, and audit mechanisms rather than ad-hoc countermeasures.

SMCP (Secure Model Context Protocol)

Novel technique introduced

Agentic AI systems built around large language models (LLMs) are moving away from closed, single-model frameworks and toward open ecosystems that connect a variety of agents, external tools, and resources. The Model Context Protocol (MCP) has emerged as a standard to unify tool access, allowing agents to discover, invoke, and coordinate with tools more flexibly. However, as MCP becomes more widely adopted, it also brings a new set of security and privacy challenges. These include risks such as unauthorized access, tool poisoning, prompt injection, privilege escalation, and supply chain attacks, any of which can impact different parts of the protocol workflow. While recent research has examined possible attack surfaces and suggested targeted countermeasures, there is still a lack of systematic, protocol-level security improvements for MCP. To address this, we introduce the Secure Model Context Protocol (SMCP), which builds on MCP by adding unified identity management, robust mutual authentication, ongoing security context propagation, fine-grained policy enforcement, and comprehensive audit logging. In this paper, we present the main components of SMCP, explain how it helps reduce security risks, and illustrate its application with practical examples. We hope that this work will contribute to the development of agentic systems that are not only powerful and adaptable, but also secure and dependable.

Key Contributions

  • Systematic threat model for the Model Context Protocol covering unauthorized access, tool poisoning, prompt injection, privilege escalation, and supply chain risks
  • Secure Model Context Protocol (SMCP) design with unified identity management, mutual authentication, and ongoing security context propagation
  • Fine-grained policy enforcement and comprehensive audit logging layered onto MCP to harden agentic LLM deployments

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_time
Applications
llm agent systemsagentic ai frameworkstool-augmented llm pipelines
Read PDF arXiv DOI

Similar Papers

defense

IPIGuard: A Novel Tool Dependency Graph-Based Defense Against Indirect Prompt Injection in LLM Agents

2025 0 cit.
100%
defense

Breaking the Protocol: Security Analysis of the Model Context Protocol Specification and Prompt Injection Vulnerabilities in Tool-Integrated LLM Agents

2026 0 cit.
92%
defense

ToolSafe: Enhancing Tool Invocation Safety of LLM-based agents via Proactive Step-level Guardrail and Feedback

2026 2 cit.
92%
defense

VIGIL: Defending LLM Agents Against Tool Stream Injection via Verify-Before-Commit

2026 1 cit.
92%
defense

AgentSentry: Mitigating Indirect Prompt Injection in LLM Agents via Temporal Causal Diagnostics and Context Purification

2026 0 cit.
92%
defense

Introducing the Generative Application Firewall (GAF)

2026 0 cit.
92%
defense

Securing the Model Context Protocol: Defending LLMs Against Tool Poisoning and Adversarial Attacks

2025 5 cit.
92%
defense

MindGuard: Intrinsic Decision Inspection for Securing LLM Agents Against Metadata Poisoning

2025 0 cit.
85%