No existing MCP security defense covers more than 34 percent of the attack surface. That is the central finding of MCPShield, a formal security framework posted to arXiv on April 8, 2026, by Nirajan Acharya and collaborators. The paper maps 23 distinct attack vectors across an ecosystem that now runs 97 million monthly SDK downloads and 177,000 registered tools. Their own reference architecture reaches 91 percent theoretical coverage by stacking four defense layers. The gap between 34 and 91 is the current state of MCP security, and it is worse than most deployers realize.
The paper matters because it is not another prompt injection catalogue. It constructs a formal model using labeled transition systems, derives four security properties with decidability results, and systematically evaluates 12 published defenses against a unified taxonomy. There is also a finding buried in the experimental data that no industry coverage has flagged: better models are more vulnerable, not less.
Why Better Instruction-Followers Are Easier Targets
Tool poisoning attacks embed malicious instructions in tool description fields. The LLM reads those descriptions as legitimate instructions and follows them. Experimental data cited in the paper found that o1-mini showed a 72.8 percent attack success rate on this class of attack. That number is high because o1-mini is a strong instruction follower. A model that follows instructions better is more vulnerable to instruction-based attacks.
This dynamic has no clean resolution through alignment alone. The authors note explicitly that LLM-internal attacks, meaning prompt injections that bypass semantic analysis, require advances in LLM alignment and adversarial resistance that fall outside the formal model’s scope. What the formal model can do is identify protocol-level controls that reduce the attack surface before requests reach the model at all. That framing reverses the usual security conversation. The solution is not a smarter model. It is less trust given to whatever model is running.
How the Ecosystem Outgrew Its Security Model
Anthropic introduced MCP in November 2024. Within 15 months, governance moved to the Linux Foundation’s Agentic AI Foundation. That transition is significant beyond the organizational chart. Under vendor-neutral governance, security standards become a multi-stakeholder negotiation rather than an internal product decision.
Simultaneously, the character of the ecosystem shifted. A 2024-to-2026 empirical study of 177,000 MCP tools, conducted by Stein and cited extensively in MCPShield, found that action-capable tools grew from 27 percent to 65 percent of the ecosystem. Read-only tools retrieve data. Write-capable tools modify external environments: delete files, send emails, execute purchases, update databases. The threat model for a read-only tool and a write-capable one are categorically different. Most of the published MCP security research was written when the ecosystem was mostly read-only.
Software development accounts for 67 percent of all agent tools and 90 percent of MCP server downloads. That concentration means attacks on code-execution-adjacent operations hit the majority of deployed agents.
The Formal Model: Labeled Transition Systems and Trust Boundaries
MCPShield’s technical contribution begins with placing MCP interactions inside a labeled transition system annotated with trust boundaries. This is the standard formalism for modeling protocols where the same sequence of actions means different things depending on which principal initiated them.
States represent the agent’s context window content combined with its tool invocation history. Labels represent tool calls, tool results, and permission decisions. Trust boundaries partition the state space into zones with different authorization requirements: the host application, the tool servers, and the external environment each occupy distinct zones. A transition that crosses a trust boundary without explicit authorization is a security violation by definition, regardless of whether the LLM intended it.
From this model, the paper derives four fundamental security properties. Tool integrity requires that tool behavior matches its declared specification. A tool described as returning stock prices should not also exfiltrate calendar data. Data confinement prohibits information from crossing trust boundaries without authorization. Privilege boundedness prevents agents from acquiring permissions beyond their granted scope. Context isolation requires that information in one context window cannot contaminate another agent’s context.
The decidability results attached to these properties are where the formal model gets practically useful. Tool integrity and privilege boundedness are decidable in polynomial time with static analysis, which means you can build tooling that certifies them before deployment. Data confinement requires runtime tracking because information flows depend on execution state. Context isolation is undecidable in the general case.
That last result is the one that matters most. No static analysis can fully verify context isolation. The attack that violates context isolation is prompt injection, and the formal model operates at the protocol level, not inside the model’s reasoning. The authors state this limitation directly. It is an honest statement of what formal methods can and cannot cover.
Seven Threat Categories Worth Naming
The taxonomy organizes attacks across four surfaces: tool server, transport layer, host application, and cross-agent communication. Seven categories span those surfaces. The five vectors most worth knowing sit in the tool poisoning category.
Description Injection (TV1) is the canonical attack already described above. Invariant Labs documented a “Fact of the Day” tool that exfiltrated a full WhatsApp chat history through this vector. Schema Manipulation (TV2) hides side-effect fields inside tool parameter schemas. Return Value Poisoning (TV3) places adversarial instructions inside execution results, chaining into further malicious tool calls. Tool Shadowing (TV4) registers a tool with the same name as a legitimate one to intercept invocations. Post-Approval Mutation (TV5) is the rug pull: a tool that passes initial review silently modifies its behavior after approval, exploiting MCP’s dynamic tool definition model.
Outside tool poisoning, the most consequential categories for production deployments are unauthorized actions (TC3), which addresses write-capable operations with real-world consequences like file deletion and financial transactions, and token budget exhaustion (TV17), where adversarial tools force extended reasoning loops that drain API budgets without completing useful work. TC3 was largely theoretical when most tools were read-only. With 65 percent of tools now write-capable, it is the category that translates directly into production incidents.
Cross-protocol threats (TC7, TV23) is the newest and least-developed category, addressing attack surfaces that emerge when MCP agents communicate with systems running Agent Communication Protocol or Agent-to-Agent Protocol. The paper’s treatment here is explicitly preliminary.
The 34 Percent Ceiling
The paper’s comparative evaluation examines 12 existing defense mechanisms against the 23 attack vectors. Input sanitization and output monitoring are the most widely deployed. Tool validation schemes like mcp-scan and AI-Infra-Guard have documented limitations: mcp-scan executes the server during scanning, meaning any malicious initialization logic runs before the scan completes. AI-Infra-Guard costs roughly $0.50 and takes around ten minutes per scan, which makes real-time protection impractical at scale.
MCPShield’s integrated four-layer architecture combines capability-based access control, cryptographic tool attestation, information flow tracking, and runtime policy enforcement to reach 91 percent theoretical coverage. Cryptographic tool attestation deserves specific attention. The MCPS-Secure specification, which MCPShield cites, proposes signing tool manifests at registration time and verifying signatures at invocation time. This directly addresses Post-Approval Mutation (TV5). A signed manifest cannot be silently modified after approval. Rug pull attacks become detectable, not just possible. No major MCP host has shipped this by April 2026.
The comparison to extensible tool ecosystem attacks more broadly is instructive. The REF6598 attack against Obsidian used no zero-day. It exploited the plugin model’s design. MCP tool poisoning follows the same pattern: no vulnerability in the LLM’s weights, no exploit in the network stack. The vulnerability is the trust model.
What Developers Can Do Now
The MCPShield defense architecture is a reference design, not a shipping product. The practical controls available today map against a subset of the taxonomy.
For tool poisoning (TV1-TV5): treat all tool descriptions and return values as untrusted data, not instructions. Verify tool provenance before adding any MCP server to a production agent. Pin tool versions and alert on schema changes. For supply chain hygiene, the pattern from layered security architectures applies: multiple independent verification steps, not single-point trust.
For token budget exhaustion (TV17): enforce hard token limits per tool call and per agent turn at the host level. Do not rely on the model to self-regulate. The agent’s cost controls should be outside the agent’s control.
For cross-protocol threats (TV23): the honest answer is that the attack surface is not well-characterized yet. A2A and ACP deployments are early. The paper identifies this as one of seven open research challenges. Developers building multi-protocol agent systems should treat the protocol intersections as untrusted until better analysis exists.
The mcp-scan and AI-Infra-Guard tools are worth running despite their limitations. Imperfect detection is better than no detection. But neither covers more than a fraction of the 23-vector taxonomy. Deploying them and calling the MCP security problem solved is the exact mistake the paper warns against.
Limitations of the MCPShield Analysis
The 91 percent coverage claim requires implementing all four defense layers simultaneously. Capability-based access control, cryptographic attestation, information flow tracking, and runtime policy enforcement are each non-trivial engineering investments. A team that implements two of the four layers will not get proportional coverage. The layers are interdependent.
The formal model’s decidability results apply to the protocol layer. Real-world context isolation failures happen at the semantic layer, inside the LLM’s reasoning, where formal protocol analysis cannot reach. The paper’s seven open research challenges include semantic-level context isolation verification and runtime information flow tracking without unacceptable latency overhead. Neither is solved.
Coverage is theoretical. Actual effectiveness depends on implementation quality and adversary sophistication. A well-resourced attacker targeting a production MCP deployment would not stop at the vectors MCPShield catalogs.
The Timeline Ahead
The governance transition to the Linux Foundation’s Agentic AI Foundation creates an opportunity for enforceable security standards rather than voluntary guidance. The International AI Safety Report 2026 assessed AI risk management techniques as improving but insufficient. For MCP specifically, the timeline between “widely deployed” and “formally analyzed” was 15 months. The timeline between “formally analyzed” and “defended” depends on whether MCP hosts ship cryptographic attestation, capability-based access control, and runtime policy enforcement in the next 12 months, or whether the 34 percent coverage ceiling becomes the industry’s permanent floor.
The full paper is available at arxiv.org/abs/2604.05969.