defense 2026

MCPShield: A Security Cognition Layer for Adaptive Trust Calibration in Model Context Protocol Agents

Zhenhong Zhou 1, Yuanhe Zhang 2, Hongwei Cai 2, Moayad Aloqaily 3, Ouns Bouachir 3, Linsey Pang 4, Prakhar Mehrotra 4, Kun Wang 1, Qingsong Wen 5

1 NTU

2 BUPT

3 MBZUAI

4 PayPal Inc

5 Squirrel AI

0 citations · 57 references · arXiv (Cornell University)
α

Published on arXiv

2602.14281

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Key Finding

MCPShield successfully defends against six novel MCP-based attack scenarios across six widely used agentic LLMs while incurring no false positives on benign servers and low deployment overhead.

MCPShield

Novel technique introduced

The Model Context Protocol (MCP) standardizes tool use for LLM-based agents and enable third-party servers. This openness introduces a security misalignment: agents implicitly trust tools exposed by potentially untrusted MCP servers. However, despite its excellent utility, existing agents typically offer limited validation for third-party MCP servers. As a result, agents remain vulnerable to MCP-based attacks that exploit the misalignment between agents and servers throughout the tool invocation lifecycle. In this paper, we propose MCPShield as a plug-in security cognition layer that mitigates this misalignment and ensures agent security when invoking MCP-based tools. Drawing inspiration from human experience-driven tool validation, MCPShield assists agent forms security cognition with metadata-guided probing before invocation. Our method constrains execution within controlled boundaries while cognizing runtime events, and subsequently updates security cognition by reasoning over historical traces after invocation, building on human post-use reflection on tool behavior. Experiments demonstrate that MCPShield exhibits strong generalization in defending against six novel MCP-based attack scenarios across six widely used agentic LLMs, while avoiding false positives on benign servers and incurring low deployment overhead. Overall, our work provides a practical and robust security safeguard for MCP-based tool invocation in open agent ecosystems.

Key Contributions

  • MCPShield: a plug-in security cognition layer that performs metadata-guided probing of MCP tools before invocation to detect semantic misalignment with untrusted servers
  • Lifecycle-aware defense encompassing pre-invocation validation, execution-time boundary enforcement, and post-invocation trace reasoning to update agent security cognition
  • Empirical demonstration of defense against six novel MCP-based attack scenarios across six agentic LLMs with zero false positives on benign servers and low overhead

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_timeblack_box
Applications
llm agentsagentic ai systemsmcp-based tool ecosystems
Read PDF arXiv DOI

Similar Papers

benchmark

Toward Understanding Security Issues in the Model Context Protocol Ecosystem

2025 2 cit.
80%
benchmark

Don't believe everything you read: Understanding and Measuring MCP Behavior under Misleading Tool Descriptions

2026 0 cit.
80%
benchmark

Give Them an Inch and They Will Take a Mile:Understanding and Measuring Caller Identity Confusion in MCP-Based AI Systems

2026 0 cit.
80%
benchmark

When MCP Servers Attack: Taxonomy, Feasibility, and Mitigation

2025 8 cit.
80%
defense

From Component Manipulation to System Compromise: Understanding and Detecting Malicious MCP Servers

2026 0 cit.
80%
defense

VIGIL: Defending LLM Agents Against Tool Stream Injection via Verify-Before-Commit

2026 1 cit.
75%
defense

AgentSentry: Mitigating Indirect Prompt Injection in LLM Agents via Temporal Causal Diagnostics and Context Purification

2026 0 cit.
75%
defense

Breaking the Protocol: Security Analysis of the Model Context Protocol Specification and Prompt Injection Vulnerabilities in Tool-Integrated LLM Agents

2026 0 cit.
75%