scan.json (19129B)
1 { 2 "paper": { 3 "title": "Securing the Model Context Protocol (MCP): Risks, Controls, and Governance", 4 "authors": ["Herman Errico", "Jiquan Ngiam", "Shanita Sojan"], 5 "year": 2025, 6 "venue": "arXiv", 7 "arxiv_id": "2511.20920" 8 }, 9 "scan_version": 2, 10 "active_modules": [], 11 "methodology_tags": ["theoretical", "qualitative"], 12 "key_findings": "The paper identifies three adversary types exploiting MCP deployments: content injection attackers, supply chain attackers, and agents as inadvertent adversaries. It proposes a defense-in-depth framework with five control categories (authentication, provenance tracking, sandboxing, policy enforcement, centralized governance) operationalized through a gateway architecture. The controls are mapped to NIST AI RMF, ISO/IEC 27001, and ISO/IEC 42001 frameworks. The paper documents real-world incidents including Asana data exposure, Microsoft 365 Copilot vulnerability (CVE-2025-32711), and a malicious Postmark MCP server.", 13 "checklist": { 14 "artifacts": { 15 "code_released": { 16 "applies": true, 17 "answer": true, 18 "justification": "Appendix A provides the proof-of-concept MCP server code for the response injection attack. However, this is only the PoC code included inline in the paper, not a full repository. The PoC code is provided in the appendix." 19 }, 20 "data_released": { 21 "applies": true, 22 "answer": false, 23 "justification": "No dataset or structured data is released. The paper references real-world incidents but provides no collected data." 24 }, 25 "environment_specified": { 26 "applies": false, 27 "answer": false, 28 "justification": "This is a theoretical/qualitative paper proposing a framework. There is no experimental environment to specify beyond the PoC snippet." 29 }, 30 "reproduction_instructions": { 31 "applies": false, 32 "answer": false, 33 "justification": "No experiments to reproduce. The paper is a theoretical framework proposal with a brief PoC demonstration." 34 } 35 }, 36 "statistical_methodology": { 37 "confidence_intervals_or_error_bars": { 38 "applies": false, 39 "answer": false, 40 "justification": "No quantitative experiments are conducted. The paper is a theoretical framework and threat model." 41 }, 42 "significance_tests": { 43 "applies": false, 44 "answer": false, 45 "justification": "No statistical comparisons are made. The paper proposes controls and maps them to governance frameworks." 46 }, 47 "effect_sizes_reported": { 48 "applies": false, 49 "answer": false, 50 "justification": "No quantitative results are reported. The paper is qualitative." 51 }, 52 "sample_size_justified": { 53 "applies": false, 54 "answer": false, 55 "justification": "No samples are collected. This is a theoretical framework paper." 56 }, 57 "variance_reported": { 58 "applies": false, 59 "answer": false, 60 "justification": "No experimental runs to report variance for." 61 } 62 }, 63 "evaluation_design": { 64 "baselines_included": { 65 "applies": true, 66 "answer": true, 67 "justification": "The paper compares against existing governance frameworks (NIST AI RMF, ISO/IEC 42001, ISO/IEC 27001) and explains why they are insufficient for MCP deployments (Section 1.5, Section 5)." 68 }, 69 "baselines_contemporary": { 70 "applies": true, 71 "answer": true, 72 "justification": "The frameworks compared against are current standards: NIST AI RMF 1.0, ISO/IEC 27001:2022, ISO/IEC 42001:2023, and the emerging ISO/IEC DIS 27090." 73 }, 74 "ablation_study": { 75 "applies": false, 76 "answer": false, 77 "justification": "No system with components to ablate. This is a theoretical framework proposal." 78 }, 79 "multiple_metrics": { 80 "applies": false, 81 "answer": false, 82 "justification": "No quantitative evaluation is performed." 83 }, 84 "human_evaluation": { 85 "applies": false, 86 "answer": false, 87 "justification": "No system outputs to evaluate. The paper proposes a conceptual framework." 88 }, 89 "held_out_test_set": { 90 "applies": false, 91 "answer": false, 92 "justification": "No data or benchmarks used." 93 }, 94 "per_category_breakdown": { 95 "applies": true, 96 "answer": true, 97 "justification": "Table 1 provides a detailed per-attack-vector breakdown of which controls mitigate which threats. Table 2 maps each attack vector to specific controls and framework alignments." 98 }, 99 "failure_cases_discussed": { 100 "applies": true, 101 "answer": true, 102 "justification": "Section 4.6 discusses practical trade-offs of the gateway architecture including latency, single point of failure, and operational complexity. Section 1.3.3 discusses limitations of traditional security approaches." 103 }, 104 "negative_results_reported": { 105 "applies": true, 106 "answer": true, 107 "justification": "The paper acknowledges that no single control fully mitigates any threat (Section 4 opening), and that the gateway introduces trade-offs including latency and single-point-of-failure risk (Section 4.6)." 108 } 109 }, 110 "claims_and_evidence": { 111 "abstract_claims_supported": { 112 "applies": true, 113 "answer": true, 114 "justification": "The abstract claims are well-aligned with the paper's content: three adversary types are formalized in Section 2-3, controls are proposed in Section 4, and governance mapping is in Section 5." 115 }, 116 "causal_claims_justified": { 117 "applies": false, 118 "answer": false, 119 "justification": "The paper does not make causal claims from empirical data. It describes threat models and proposes controls without claiming measured causal effects." 120 }, 121 "generalization_bounded": { 122 "applies": true, 123 "answer": true, 124 "justification": "The paper scopes its contributions to MCP deployments specifically, acknowledges the protocol is in early/rapid evolution (Section 6.2), and frames open research questions rather than claiming solved problems." 125 }, 126 "alternative_explanations_discussed": { 127 "applies": false, 128 "answer": false, 129 "justification": "No empirical results that require alternative explanations. The paper is a theoretical framework." 130 }, 131 "proxy_outcome_distinction": { 132 "applies": false, 133 "answer": false, 134 "justification": "No measurements or proxies. This is a theoretical paper." 135 } 136 }, 137 "setup_transparency": { 138 "model_versions_specified": { 139 "applies": false, 140 "answer": false, 141 "justification": "No models are evaluated. The PoC demonstrates an attack concept but does not benchmark any specific model." 142 }, 143 "prompts_provided": { 144 "applies": true, 145 "answer": true, 146 "justification": "The proof-of-concept in Appendix A provides the full attack payload text, and Section 3.1.1 provides the injection example prompt. The tool description poisoning example is also quoted in Section 3.2.3." 147 }, 148 "hyperparameters_reported": { 149 "applies": false, 150 "answer": false, 151 "justification": "No model inference experiments are conducted." 152 }, 153 "scaffolding_described": { 154 "applies": false, 155 "answer": false, 156 "justification": "No agentic scaffolding is built or evaluated. The paper discusses scaffolding conceptually as part of the threat model." 157 }, 158 "data_preprocessing_documented": { 159 "applies": false, 160 "answer": false, 161 "justification": "No data collection or preprocessing. This is a theoretical framework paper." 162 } 163 }, 164 "limitations_and_scope": { 165 "limitations_section_present": { 166 "applies": true, 167 "answer": false, 168 "justification": "There is no dedicated limitations section. Some limitations are mentioned inline (e.g., gateway trade-offs in Section 4.6, open research problems in Section 6.1) but no consolidated limitations discussion." 169 }, 170 "threats_to_validity_specific": { 171 "applies": true, 172 "answer": false, 173 "justification": "No threats-to-validity section. The paper does not discuss potential weaknesses in its own threat model or framework design." 174 }, 175 "scope_boundaries_stated": { 176 "applies": true, 177 "answer": true, 178 "justification": "Section 6.1 identifies multiple open research problems the paper does not solve, including formal verification, privacy-preserving operations, and automated policy generation. Section 6.2 acknowledges MCP is 'in an early, rapidly evolving phase.'" 179 } 180 }, 181 "data_integrity": { 182 "raw_data_available": { 183 "applies": false, 184 "answer": false, 185 "justification": "No data collected. This is a theoretical framework paper." 186 }, 187 "data_collection_described": { 188 "applies": true, 189 "answer": false, 190 "justification": "The paper references real-world incidents (Asana, Microsoft 365, Postmark, mcp-remote) and a claim of 1,800+ unauthenticated MCP servers, but does not describe how these incidents were identified or collected." 191 }, 192 "recruitment_methods_described": { 193 "applies": false, 194 "answer": false, 195 "justification": "No human participants or systematic data collection." 196 }, 197 "data_pipeline_documented": { 198 "applies": false, 199 "answer": false, 200 "justification": "No data pipeline. This is a theoretical paper." 201 } 202 }, 203 "conflicts_of_interest": { 204 "funding_disclosed": { 205 "applies": true, 206 "answer": false, 207 "justification": "No funding or acknowledgment of funding sources. Authors are from Vanta, MintMCP, and Darktrace but no funding disclosure is provided." 208 }, 209 "affiliations_disclosed": { 210 "applies": true, 211 "answer": true, 212 "justification": "Author affiliations are clearly stated: Herman Errico (Vanta), Jiquan Ngiam (MintMCP), Shanita Sojan (Darktrace)." 213 }, 214 "funder_independent_of_outcome": { 215 "applies": true, 216 "answer": false, 217 "justification": "No funding is disclosed, so independence cannot be assessed. Notably, the authors work at security/MCP companies (Vanta is a security compliance platform, MintMCP works on MCP, Darktrace is a cybersecurity company) that could benefit from MCP security concerns being elevated." 218 }, 219 "financial_interests_declared": { 220 "applies": true, 221 "answer": false, 222 "justification": "No competing interests statement. The authors' employers (Vanta, MintMCP, Darktrace) have potential commercial interests in MCP security solutions but this is not declared." 223 } 224 }, 225 "contamination": { 226 "training_cutoff_stated": { 227 "applies": false, 228 "answer": false, 229 "justification": "No pre-trained model is evaluated on any benchmark." 230 }, 231 "train_test_overlap_discussed": { 232 "applies": false, 233 "answer": false, 234 "justification": "No benchmark evaluation is performed." 235 }, 236 "benchmark_contamination_addressed": { 237 "applies": false, 238 "answer": false, 239 "justification": "No benchmark evaluation is performed." 240 } 241 }, 242 "human_studies": { 243 "pre_registered": { 244 "applies": false, 245 "answer": false, 246 "justification": "No human participants." 247 }, 248 "irb_or_ethics_approval": { 249 "applies": false, 250 "answer": false, 251 "justification": "No human participants." 252 }, 253 "demographics_reported": { 254 "applies": false, 255 "answer": false, 256 "justification": "No human participants." 257 }, 258 "inclusion_exclusion_criteria": { 259 "applies": false, 260 "answer": false, 261 "justification": "No human participants." 262 }, 263 "randomization_described": { 264 "applies": false, 265 "answer": false, 266 "justification": "No human participants." 267 }, 268 "blinding_described": { 269 "applies": false, 270 "answer": false, 271 "justification": "No human participants." 272 }, 273 "attrition_reported": { 274 "applies": false, 275 "answer": false, 276 "justification": "No human participants." 277 } 278 }, 279 "cost_and_practicality": { 280 "inference_cost_reported": { 281 "applies": false, 282 "answer": false, 283 "justification": "Theoretical paper with no computational method to cost." 284 }, 285 "compute_budget_stated": { 286 "applies": false, 287 "answer": false, 288 "justification": "No computation performed beyond a trivial PoC." 289 } 290 } 291 }, 292 "claims": [ 293 { 294 "claim": "MCP replaces static, developer-controlled API integrations with dynamic, user-driven agent systems, introducing new security risks not covered by existing AI governance frameworks.", 295 "evidence": "Section 1.3 describes the paradigm shift. Section 1.5 analyzes gaps in NIST AI RMF and ISO/IEC 42001. Real-world incidents cited: Asana data exposure, Microsoft 365 Copilot CVE-2025-32711, mcp-remote RCE CVE-2025-6514, malicious Postmark MCP server.", 296 "supported": "moderate" 297 }, 298 { 299 "claim": "Three adversary types exploit MCP's flexibility: content injection attackers, supply chain attackers, and agents as inadvertent adversaries.", 300 "evidence": "Section 2.2 formalizes the three types. Section 3 provides concrete attack vectors with examples. Appendix A provides a proof-of-concept response injection implementation.", 301 "supported": "moderate" 302 }, 303 { 304 "claim": "Over 1,800 MCP servers on the public internet lack authentication.", 305 "evidence": "Section 1.3.2 cites Knostic research [19] for this statistic. No independent verification or methodology description provided.", 306 "supported": "weak" 307 }, 308 { 309 "claim": "Organizations report 50-70% time savings on routine tasks following MCP deployment.", 310 "evidence": "Section 1.2 cites [10] (Block's enterprise MCP adoption blog post). Single company report, not peer-reviewed.", 311 "supported": "weak" 312 }, 313 { 314 "claim": "The proposed defense-in-depth framework with five control categories and gateway architecture addresses the identified threats.", 315 "evidence": "Section 4 describes controls. Table 1 maps risks to mechanisms. Table 2 maps to governance frameworks. No empirical validation of effectiveness.", 316 "supported": "weak" 317 }, 318 { 319 "claim": "Multiple commercial AI agents complied with the proof-of-concept response injection instructions.", 320 "evidence": "Appendix A states 'Our tests demonstrated that multiple commercial AI agents complied with these injected instructions' but provides no details on which agents, success rates, or test methodology.", 321 "supported": "unsupported" 322 } 323 ], 324 "red_flags": [ 325 { 326 "flag": "Undisclosed conflicts of interest", 327 "detail": "Authors work at Vanta (security compliance platform), MintMCP (MCP company), and Darktrace (cybersecurity). All three companies have commercial interests in MCP security concerns being taken seriously. No conflicts of interest statement is provided." 328 }, 329 { 330 "flag": "Unsupported empirical claim", 331 "detail": "The paper claims 'multiple commercial AI agents complied with these injected instructions' from the PoC attack but provides zero details: no agent names, no success rates, no methodology, no failure cases." 332 }, 333 { 334 "flag": "No empirical validation of proposed framework", 335 "detail": "The five-category defense framework and gateway architecture are proposed without any empirical evaluation, case study deployment, simulation, or formal analysis demonstrating effectiveness." 336 }, 337 { 338 "flag": "Selective citation of incidents", 339 "detail": "Real-world incidents are cited to motivate the threat model but the selection methodology is not described. No systematic survey of MCP incidents was conducted, creating potential cherry-picking risk." 340 }, 341 { 342 "flag": "No limitations section", 343 "detail": "The paper lacks a dedicated limitations section despite proposing a comprehensive security framework. Trade-offs of the gateway approach are briefly noted but weaknesses of the threat model and framework are not discussed." 344 } 345 ], 346 "cited_papers": [ 347 { 348 "title": "Systematic Analysis of MCP Security", 349 "authors": ["Y. Guo"], 350 "year": 2025, 351 "arxiv_id": "2508.12538", 352 "relevance": "Directly relevant systematic analysis of MCP security threats and vulnerabilities." 353 }, 354 { 355 "title": "Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions", 356 "authors": ["X. Hou", "Y. Zhao", "S. Wang", "H. Wang"], 357 "year": 2025, 358 "arxiv_id": "2503.23278", 359 "relevance": "Comprehensive overview of MCP landscape and security threats." 360 }, 361 { 362 "title": "MCPGuard: Automatically Detecting Vulnerabilities in MCP Servers", 363 "authors": ["B. Wang", "Z. Liu", "H. Yu"], 364 "year": 2025, 365 "arxiv_id": "2510.23673", 366 "relevance": "Automated vulnerability detection for MCP servers, directly relevant to supply chain security." 367 }, 368 { 369 "title": "TraceAegis: Securing LLM-Based Agents via Hierarchical and Behavioral Anomaly Detection", 370 "authors": ["J. Liu", "B. Ruan"], 371 "year": 2025, 372 "arxiv_id": "2510.11203", 373 "relevance": "Behavioral anomaly detection for LLM agents, relevant to agent security monitoring." 374 }, 375 { 376 "title": "LumiMAS: A Comprehensive Framework for Real-Time Monitoring and Enhanced Observability in Multi-Agent Systems", 377 "authors": ["R. Solomon"], 378 "year": 2025, 379 "arxiv_id": "2508.12412", 380 "relevance": "Multi-agent system monitoring framework relevant to MCP observability." 381 }, 382 { 383 "title": "Evaluating the Goal-Directedness of Large Language Models", 384 "authors": ["T. Everitt"], 385 "year": 2025, 386 "arxiv_id": "2504.11844", 387 "relevance": "Evaluating LLM goal-directedness, relevant to the 'inadvertent agent' adversary type." 388 }, 389 { 390 "title": "Progent: Programmable Privilege Control for LLM Agents", 391 "authors": ["T. Shi", "J. He"], 392 "year": 2025, 393 "arxiv_id": "2504.11703", 394 "relevance": "Programmable privilege control for LLM agents, directly relevant to access control in agentic systems." 395 }, 396 { 397 "title": "Uncertainty-Aware, Risk-Adaptive Access Control for Agentic Systems using an LLM-Judged TBAC Model", 398 "authors": ["C. Fleming", "A. Kundu", "R. Kompella"], 399 "year": 2025, 400 "arxiv_id": "2510.11414", 401 "relevance": "Risk-adaptive access control for agentic systems, relevant to authentication and authorization controls." 402 } 403 ] 404 }