This content originally appeared on DEV Community and was authored by nasuy
MCP now has over 10,000 public servers. More than 50 companies are building A2A. AI agent protocols are growing fast.
But security research is not keeping up. For Agora and ANP, almost no security analysis existed before this paper.
In February 2026, researchers from the Canadian Institute for Cybersecurity and Mastercard published a paper that organizes 12 risks across 4 protocols (arXiv:2602.11327).
The Four Protocols
AI agent communication has different layers for different jobs.
- MCP, released by Anthropic in November 2024, connects AI to external tools and data using OAuth 2.1. It is already in production.
- A2A, announced by Google in April 2025, handles agent-to-agent communication with OAuth 2.0+JWT and is currently in draft stage.
- Agora, proposed by Marro et al. in October 2024, is a meta-protocol that dynamically generates and negotiates communication rules using hash-based authentication. It remains at the research stage.
- ANP, proposed by Chang et al. in July 2025, provides the network layer for large-scale agent networks using W3C DID for authentication. It is also at the research stage.
These protocols do not compete. They stack on top of each other.
12 Protocol-Level Risks
The paper sorts risks by lifecycle: creation, operation, and update.
The creation phase has four risks. MCP and Agora have weak identity checks. MCP and ANP do not protect registration data integrity. MCP has no namespace separation, so same-name tool spoofing works. Agora and ANP have no security policy defined at all.
The operation phase also has four risks. MCP does not verify what actually runs. MCP and A2A have no control over data exchange. MCP and A2A give permissions that are too broad. All four protocols lack rate limiting and backpressure.
The update phase has four more. MCP and A2A never cancel old credentials. Agora and ANP have no rollback protection. MCP does not sign or verify update packages. All protocols are vulnerable to dependency drift.
In short, the creation phase cannot verify who registered what. The operation phase cannot control what runs or how much access it has. The update phase leaves old credentials active and applies unsigned packages without checks.
MCP Experiment: Tool Spoofing
The researchers also ran an experiment on MCP. They set up a real server and a fake server, both using the same tool name (authorize_payment). Then they checked which one the AI called.
In first-match mode, the AI always called the wrong server (Violation Rate = 1.0). In best-match mode, it was wrong about half the time (Violation Rate = 0.52). Without cryptographic signatures, tool spoofing works reliably.
Reported Incidents
These incidents were reported on X and security news sites.
OpenClaw was shown to be vulnerable to indirect prompt injection, enabling backdoor installation and C2 deployment. A supply chain attack on Cline CLI v2.3.0 also led to approximately 4,000 unauthorized installations. An RCE vulnerability in MCP Inspector (CVE-2025-49596, CVSS 9.4) allowed remote code execution just by visiting a malicious web page (now patched). On ClawHub, Snyk's Agent Scan analysis (3,984 skills) found 76 confirmed malware packages. VirusTotal scanning was added to fix this. A Cursor MCP server leaked login credentials through indirect prompt injection.
Many of these reports come from X posts and have not been verified independently.
What to Do Now
Use cryptographic signatures to verify identity, not just names. Add supply chain checks like signature verification, code scanning, and version pinning. Watch MITRE ATLAS. They are adding attack techniques specific to AI agents. Set the default to least privilege and enforce token scope at the protocol level.
Over 10,000 MCP servers. Over 50 companies building A2A. Protocol adoption is outpacing security. The shift from "call tools by name" to "verify tools by signature" is the first step.
This content originally appeared on DEV Community and was authored by nasuy
nasuy | Sciencx (2026-03-15T05:08:11+00:00) MCP tool spoofing succeeds 100% of the time. A new paper maps 12 security risks across 4 agent protocols.. Retrieved from https://www.scien.cx/2026/03/15/mcp-tool-spoofing-succeeds-100-of-the-time-a-new-paper-maps-12-security-risks-across-4-agent-protocols/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.