From Function Calls to MCPs for Securing AI Agent Systems: Architecture, Challenges and Countermeasures

Abstract: With the widespread deployment of large language models (LLMs) in complex and multimodal scenarios, there is a growing demand for secure and standardized integration of external tools and data sources. The Model Context Protocol (MCP), proposed by Anthropic in late 2024, has emerged as a promising framework. Designed to standardize the interaction between LLMs and their external environments, it serves as a “USB-C interface for AI”. While MCP has been rapidly adopted in the industry, systematic academic studies on its security implications remain scarce. This paper presents a comprehensive review of MCP from a security perspective. We begin by analyzing the architecture and workflow of MCP and identify potential security vulnerabilities across key stages including input processing, decision-making, client invocation, server response, and response generation. We then categorize and assess existing defense mechanisms. In addition, we design a real-world attack experiment to demonstrate the feasibility of tool description injection within an actual MCP environment. Based on the experimental results, we further highlight underexplored threat surfaces and propose future directions for securing AI agent systems powered by MCP. This paper aims to provide a structured reference framework for researchers and developers seeking to balance functionality and security in MCP-based systems.

Keywords: Model Context Protocol (MCP); security risks; agent systems