From Function Calls to MCPs for Securing AI Agent Systems: Architecture, Challenges and Countermeasures

doi:10.12142/ZTECOM.202503004

ZTE Communications ›› 2025, Vol. 23 ›› Issue (3): 27-37.DOI: 10.12142/ZTECOM.202503004

• Special Topic • Previous Articles Next Articles

From Function Calls to MCPs for Securing AI Agent Systems: Architecture, Challenges and Countermeasures

WANG Wei¹, LI Shaofeng², DONG Tian¹, MENG Yan¹, ZHU Haojin¹()

^1.Shanghai Jiao Tong University, Shanghai 200240, China
^2.Southeast University, Nanjing 211189, China

Received:2025-07-25 Online:2025-09-11 Published:2025-09-11
About author:WANG Wei received her BA degree in French with a minor in information engineering from Shanghai Jiao Tong University, China in 2024. She is currently pursuing her ME degree in electronic information at Shanghai Jiao Tong University. Her research focuses on the security of large language models and AI agent systems.
LI Shaofeng is an associate professor at the School of Computer Science and Engineering, Southeast University, China. He received his PhD degree from the Department of Computer Science and Engineering at Shanghai Jiao Tong University, China in 2022. From 2022 to 2024, he worked as a postdoctoral researcher at Peng Cheng Laboratory, China. His research interests include artificial intelligence and system security. He received the Distinguished Paper Award at USENIX Security 2024 and the Best Paper Award Runner-up at ACM CCS 2021.
DONG Tian received his PhD degree at computer science and technology from Shanghai Jiao Tong University, China in 2025. He received his MS degree in electronic and communication engineering from Shanghai Jiao Tong University in 2022. His research interests include the intersection of security, privacy, and machine learning.
MENG Yan is an assistant professor in Shanghai Jiao Tong University, China. He received his PhD degree in computer science and technology from Shanghai Jiao Tong University in 2021. He received his BS degree in electronic and information engineering from Huazhong University of Science and Technology, China in 2016. His research interests include wireless network security and IoT security. He received the 2022 ACM China Doctoral Dissertation Award and the Young Elite Scientists Sponsorship Program by CAST.
ZHU Haojin (zhu-hj@cs.sjtu.edu.cn) received his BS degree from Wuhan University, China in 2002, MS degree from Shanghai Jiao Tong University, China in 2005 (both in computer science), and PhD degree in electrical and computer engineering from the University of Waterloo, Canada in 2009. He is currently a professor and the Vice Dean of the School of Computer Science at Shanghai Jiao Tong University. His current research interests include network security and privacy enhancing technologies. He received a number of awards including SIGSOFT Distinguished Paper of ESEC/FSE (2023), ACM CCS Best Paper Runner-Ups Award (2021). He is now an editor of IEEE Transactions on Wireless Communications and ACM Transactions on Privacy and Security. He is also a program committee member for top conferences such as USENIX Security, ACM CCS, NDSS, and IEEE INFOCOM.
Supported by:
the National Natural Science Foundation of China(62325207)

Abstract

Abstract:

With the widespread deployment of large language models (LLMs) in complex and multimodal scenarios, there is a growing demand for secure and standardized integration of external tools and data sources. The Model Context Protocol (MCP), proposed by Anthropic in late 2024, has emerged as a promising framework. Designed to standardize the interaction between LLMs and their external environments, it serves as a “USB-C interface for AI”. While MCP has been rapidly adopted in the industry, systematic academic studies on its security implications remain scarce. This paper presents a comprehensive review of MCP from a security perspective. We begin by analyzing the architecture and workflow of MCP and identify potential security vulnerabilities across key stages including input processing, decision-making, client invocation, server response, and response generation. We then categorize and assess existing defense mechanisms. In addition, we design a real-world attack experiment to demonstrate the feasibility of tool description injection within an actual MCP environment. Based on the experimental results, we further highlight underexplored threat surfaces and propose future directions for securing AI agent systems powered by MCP. This paper aims to provide a structured reference framework for researchers and developers seeking to balance functionality and security in MCP-based systems.

Key words: Model Context Protocol (MCP), security risks, agent systems

WANG Wei, LI Shaofeng, DONG Tian, MENG Yan, ZHU Haojin. From Function Calls to MCPs for Securing AI Agent Systems: Architecture, Challenges and Countermeasures[J]. ZTE Communications, 2025, 23(3): 27-37.

Figures/Tables 7

References 48

[1]	LEWIS P, PEREZ E, PIKTUS A, et al. Retrieval-augmented generation for knowledge-intensive NLP tasks [C]//The 34th International Conference on Neural Information Processing Systems. ACM, 2020: 9459–9474
[2]	OpenAI. Function calling [EB/OL]. (2023-07-20)[2025-06-02].
[3]	OpenAI. ChatGPT plugins [EB/OL]. (2023-03-23)[2025-06-02].
[4]	Logankilpatrik. Plugins quickstart [EB/OL]. (2023-04-10)[2025-06-02].
[5]	LangChain. LangChain: framework for developing applications powered by language models [EB/OL]. (2022-10-01)[2025-06-02].
[6]	Langflow. Langflow: visual programming for LLM apps [EB/OL]. (2023-05-15)[2025-06-02].
[7]	Microsoft. Semantic kernel [EB/OL]. (2023-06-10)[2025-06-02].
[8]	WU Q Y, BANSAL G, ZHANG J Y, et al. AutoGen: enabling next-gen LLM applications via multi-agent conversations [EB/OL]. (2023-08-16) [2025-06-02].
[9]	ModelContextProtocol. MCP servers directory [EB/OL]. (2024-12-10)[2025-06-02].
[10]	Anthropic. Introducing the model context protocol [EB/OL]. (2024-11-25)[2025-06-02].
[11]	HOU X Y, ZHAO Y J, WANG S A, et al. Model context protocol (MCP): landscape, security threats, and future research directions [EB/OL]. [2025-06-02].
[12]	OpenAI. OpenAI agents SDK-model context protocol (MCP) [EB/OL]. (2025-03-25)[2025-06-02].
[13]	Cursor. Learn how to add and use custom MCP tools within cursor [EB/OL]. (2025-04-10)[2025-06-02].
[14]	Anthropic. For claude desktop users [EB/OL]. (2024-12-01)[2025-06-02].
[15]	Google. MCP documentation [EB/OL]. (2025-05-01)[2025-06-02].
[16]	Microsoft. Securing the model context protocol: building a safer agentic future on Windows [EB/OL]. (2025-05-19)[2025-06-02].
[17]	MCP.so. MCP.so: a community-driven platform for MCP servers [EB/OL]. (2025-01-20)[2025-06-02].
[18]	Glama.ai. Glama MCP servers [EB/OL]. (2025-05-15)[2025-06-02].
[19]	ModelScope. MCP square modelscope [EB/OL]. (2025-04-15)[2025-06-02].
[20]	Punkpeye. FastMCP: a typescript framework for building MCP servers [EB/OL]. (2025-04-28)[2025-06-02].
[21]	Strowk. Foxy contexts: a golang library for building context servers supporting MCP [EB/OL]. (2025-04-18)[2025-06-02].
[22]	Wong 2. LiteMCP: a typescript framework for building MCP servers elegantly [EB/OL]. (2025-04-10)[2025-06-02].
[23]	NARAJALA V S, HABLER I. Enterprise-grade security for the model context protocol (MCP): frameworks and mitigation strategies [EB/OL]. [2025-06-02].
[24]	IDP. Why the MCP Protocol is not as secure as it seems: a technical perspective [EB/OL]. (2025-05-14)[2025-06-02].
[25]	YU W C, HU K, PANG T Y, et al. Infecting LLM-based multi-agents via self-propagating adversarial attacks [EB/OL]. [2025-06-02].
[26]	NAHIAN M AL, ALTAWEEL Z, REITANO D, et al. Robo-Troj: attacking LLM-based task planners [EB/OL]. (2025-04-23)[2025-06-02].
[27]	WANG K, ZHANG G B, ZHOU Z H, et al. A comprehensive survey in LLM(-agent) full stack safety: data, training and deployment [EB/OL]. (2025-04-22)[2025-06-02].
[28]	COHEN E. The LLM as an accomplice: exploiting MCP servers via context injection [EB/OL]. (2025-04-08)[2025-06-02].
[29]	MCCARTHY R. MCP security research briefing [EB/OL]. (2025-05-20)[2025-06-02].
[30]	SHI J W, YUAN Z H, TIE G Y, et al. Prompt injection attack to tool selection in LLM agents [EB/OL]. (2025-04-28)[2025-06-12].
[31]	Labs Invariant. WhatsApp MCP exploited: exfiltrating your message history via MCP [EB/OL]. (2025-04-07)[2025-06-12].
[32]	ZOU W, GENG R P, WANG B H, et al. PoisonedRAG: knowledge corruption attacks to retrieval-augmented generation of large language models [EB/OL]. (2025-05-05)[2025-06-12].
[33]	Solo.io. Deep dive: MCP and A2A attack vectors for AI agents [EB/OL]. (2025-05-05)[2025-06-12].
[34]	LUO W D, LU T Y, ZHANG Q M, et al. Doxing via the lens: revealing privacy leakage in image geolocation for agentic multi-modal large reasoning model [EB/OL]. (2025‑04‑27)[2025‑06‑24].
[35]	SONG H, SHEN Y M, LUO W X, et al. Beyond the protocol: unveiling attack vectors in the model context protocol ecosystem [EB/OL]. (2025‑05‑31)[2025‑06‑24].
[36]	WANG Z H, LI H W, ZHANG R, et al. MPMA: preference manipulation attack against model context protocol [EB/OL]. (2025‑05‑16)[2025‑06‑24].
[37]	POLLOCK G. Asana discloses data exposure bug in MCP server [EB/OL]. (2025‑06‑18)[2025‑07‑24].
[38]	AnuPriya. Hackers exploit Atlassian via malicious support ticket submission [EB/OL]. (2025‑06‑20)[2025‑07‑24].
[39]	HU J H, LI H R, HU W B, et al. MCIP: protecting MCP safety via model contextual integrity protocol [EB/OL]. (2025-02-06)[2025-06-12].
[40]	Cloud Security Alliance. Agentic AI threat modeling framework: maestro [EB/OL]. (2025-02-06)[2025-06-12].
[41]	KUMAR S, GIRDHAR A, PATIL R, et al. MCP guardian: a security-first layer for safeguarding MCP-based AI system [EB/OL]. (2025-04-17)[2025-06-02].
[42]	Permit.io. MCP permissions architecture [EB/OL]. (2025-04-15)[2025-06-02].
[43]	RADOSEVICH B, HALLORAN J T. MCP safety audit: LLMs with the model context protocol allow major security exploits [EB/OL]. (2025-04-25)[2025-06-12].
[44]	LI E, MALLICK T, ROSE E, et al. ACE: a security architecture for LLM-integrated App systems [EB/OL]. (2025-04-29)[2025-06-12].
[45]	SYROS G, SURI A, NITA-ROTARU C. SAGA: a security architecture for governing AI agentic systems [EB/OL]. (2025-04-27)[2025-06-12].
[46]	SHI T, HE J, WANG Z. Progent: programmable privilege control for LLM agents [EB/OL]. (2025-04-16)[2025-06-12].
[47]	BHATT M, NARAJALA V S, HABLER I. ETDI: mitigating tool squatting and rug pull attacks in model context protocol (MCP) by using OAuth-enhanced tool definitions and policy-based access control [EB/OL]. (2025-06-02)[2025-06-12].
[48]	Cline Bot Inc. Cline [EB/OL]. (2024-07-02)[2025-06-12].

Model	Total Invocations	Selections of weather1	Bias Rate/%	Explicit Reference to Description
Qwen-14B	10	10	100	Yes (partially mentions “prioritize”)
DeepSeek-V3	10	8	80	Yes (partially mentions “prioritize”)
LLaMA2-70B	10	10	100	Yes (all mentions “prioritize”)
Grok-2	10	10	100	Yes (partially mentions “prioritize”)
Gemini-2.5	10	10	100	Yes (partially mentions “prioritize”)

Model	Total Invocations	Selections of weather1	Bias Rate/%	Explicit Reference to Description
Qwen-14B	10	10	100	Yes (partially mentions “prioritize”)
DeepSeek-V3	10	8	80	Yes (partially mentions “prioritize”)
LLaMA2-70B	10	10	100	Yes (all mentions “prioritize”)
Grok-2	10	10	100	Yes (partially mentions “prioritize”)
Gemini-2.5	10	10	100	Yes (partially mentions “prioritize”)

Model	Total Invocations	Misleading Responses	Misleading Rate/%	Comments
Qwen-14B	10	8	80	In one case, the LLM was mentioned “as requested”. In another case, the LLM suggested checking official sources to confirm the alert information
DeepSeek-V3	10	9	90	In one case, the LLM did not output any hurricane-related content despite the injected instruction
Grok-2	10	10	100	All responses were misled
Gemini-2.5	10	10	100	All responses were misled

Model	Total Invocations	Misleading Responses	Misleading Rate/%	Comments
Qwen-14B	10	8	80	In one case, the LLM was mentioned “as requested”. In another case, the LLM suggested checking official sources to confirm the alert information
DeepSeek-V3	10	9	90	In one case, the LLM did not output any hurricane-related content despite the injected instruction
Grok-2	10	10	100	All responses were misled
Gemini-2.5	10	10	100	All responses were misled

From Function Calls to MCPs for Securing AI Agent Systems: Architecture, Challenges and Countermeasures

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 7

References 48

Related Articles 0

Recommended Articles

Metrics