← Back to Library

Systematization of Knowledge: Security and Safety in the Model Context Protocol Ecosystem

Authors: Shiva Gaire, Srijan Gyawali, Saroj Mishra, Suman Niroula, Dilip Thakur, Umesh Yadav

Published: 2025-12-09

arXiv ID: 2512.08290v2

Added to Library: 2026-01-07 10:13 UTC

Red Teaming

📄 Abstract

The Model Context Protocol (MCP) has emerged as the de facto standard for connecting Large Language Models (LLMs) to external data and tools, effectively functioning as the "USB-C for Agentic AI." While this decoupling of context and execution solves critical interoperability challenges, it introduces a profound new threat landscape where the boundary between epistemic errors (hallucinations) and security breaches (unauthorized actions) dissolves. This Systematization of Knowledge (SoK) aims to provide a comprehensive taxonomy of risks in the MCP ecosystem, distinguishing between adversarial security threats (e.g., indirect prompt injection, tool poisoning) and epistemic safety hazards (e.g., alignment failures in distributed tool delegation). We analyze the structural vulnerabilities of MCP primitives, specifically Resources, Prompts, and Tools, and demonstrate how "context" can be weaponized to trigger unauthorized operations in multi-agent environments. Furthermore, we survey state-of-the-art defenses, ranging from cryptographic provenance (ETDI) to runtime intent verification, and conclude with a roadmap for securing the transition from conversational chatbots to autonomous agentic operating systems.

🔍 Key Points

  • The paper introduces a comprehensive taxonomy distinguishing between adversarial security threats and epistemic safety hazards specific to the Model Context Protocol (MCP) ecosystem, enhancing the understanding of associated risks.
  • A structural analysis of MCP primitives reveals how the decoupling of context and execution introduces novel vulnerability classes, notably affecting multi-agent environments and operational safety.
  • The authors synthesize state-of-the-art mitigation strategies for addressing identified threats, advocating for a unified threat model that integrates security and safety concerns in AI systems.
  • The paper presents real-world case studies illustrating the impact of security vulnerabilities in MCP systems, providing actionable insights for enterprises.
  • Future research directions and mitigation strategies are proposed, emphasizing the need for formal verification, standardized frameworks, and robust governance in MCP implementations.

💡 Why This Paper Matters

This paper lays the groundwork for understanding and addressing the unique security and safety challenges posed by the Model Context Protocol (MCP) in AI systems, marking a significant contribution to the field of AI security and ethics. It identifies critical gaps in current methodologies and sets the stage for future research aimed at improving the resilience and safety of agentic AI technologies.

🎯 Why It's Interesting for AI Security Researchers

AI security researchers will find this paper valuable as it not only highlights pressing vulnerabilities unique to the Model Context Protocol but also enriches the discourse around the intersection of AI safety and cybersecurity. The proposed taxonomies, case studies, and mitigation strategies provide both theoretical frameworks and practical guidelines for enhancing the security and reliability of LLM integrations, a pertinent topic in the rapidly evolving AI landscape.

📚 Read the Full Paper

📄 View on arXiv 📎 Download PDF