{"id":"https://openalex.org/W7155503413","doi":"https://doi.org/10.48550/arxiv.2604.21477","title":"MCP Pitfall Lab: Exposing Developer Pitfalls in MCP Tool Server Security under Multi-Vector Attacks","display_name":"MCP Pitfall Lab: Exposing Developer Pitfalls in MCP Tool Server Security under Multi-Vector Attacks","publication_year":2026,"publication_date":"2026-04-23","ids":{"openalex":"https://openalex.org/W7155503413","doi":"https://doi.org/10.48550/arxiv.2604.21477"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2604.21477","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.21477","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2604.21477","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5134559456","display_name":"Run Hao","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Hao, Run","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5134476335","display_name":"Zhuoran Tan","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Tan, Zhuoran","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":2,"corresponding_author_ids":["https://openalex.org/A5134559456"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.3328999876976013,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.3328999876976013,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.274399995803833,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12203","display_name":"Mobile Agent-Based Network Management","score":0.09109999984502792,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/workflow","display_name":"Workflow","score":0.612500011920929},{"id":"https://openalex.org/keywords/robustness","display_name":"Robustness (evolution)","score":0.5134000182151794},{"id":"https://openalex.org/keywords/server","display_name":"Server","score":0.5077000260353088},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.424699991941452},{"id":"https://openalex.org/keywords/audit","display_name":"Audit","score":0.4050000011920929},{"id":"https://openalex.org/keywords/card-security-code","display_name":"Card security code","score":0.3896999955177307},{"id":"https://openalex.org/keywords/data-integrity","display_name":"Data integrity","score":0.3431999981403351},{"id":"https://openalex.org/keywords/profiling","display_name":"Profiling (computer programming)","score":0.3407000005245209}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7922000288963318},{"id":"https://openalex.org/C177212765","wikidata":"https://www.wikidata.org/wiki/Q627335","display_name":"Workflow","level":2,"score":0.612500011920929},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5400999784469604},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.5134000182151794},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.5077000260353088},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.424699991941452},{"id":"https://openalex.org/C199521495","wikidata":"https://www.wikidata.org/wiki/Q181487","display_name":"Audit","level":2,"score":0.4050000011920929},{"id":"https://openalex.org/C149071572","wikidata":"https://www.wikidata.org/wiki/Q1035664","display_name":"Card security code","level":4,"score":0.3896999955177307},{"id":"https://openalex.org/C33762810","wikidata":"https://www.wikidata.org/wiki/Q461671","display_name":"Data integrity","level":2,"score":0.3431999981403351},{"id":"https://openalex.org/C187191949","wikidata":"https://www.wikidata.org/wiki/Q1138496","display_name":"Profiling (computer programming)","level":2,"score":0.3407000005245209},{"id":"https://openalex.org/C2779201187","wikidata":"https://www.wikidata.org/wiki/Q2775060","display_name":"Information leakage","level":2,"score":0.3402999937534332},{"id":"https://openalex.org/C77714075","wikidata":"https://www.wikidata.org/wiki/Q5452017","display_name":"Firewall (physics)","level":5,"score":0.3271999955177307},{"id":"https://openalex.org/C125209513","wikidata":"https://www.wikidata.org/wiki/Q4037520","display_name":"Doors","level":2,"score":0.3212999999523163},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.3050999939441681},{"id":"https://openalex.org/C2780385302","wikidata":"https://www.wikidata.org/wiki/Q367158","display_name":"Protocol (science)","level":3,"score":0.295199990272522},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.29440000653266907},{"id":"https://openalex.org/C207850805","wikidata":"https://www.wikidata.org/wiki/Q269608","display_name":"Reverse engineering","level":2,"score":0.2816999852657318},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.27799999713897705},{"id":"https://openalex.org/C80958533","wikidata":"https://www.wikidata.org/wiki/Q1047174","display_name":"Audit trail","level":3,"score":0.262800008058548},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.259799987077713},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.25589999556541443},{"id":"https://openalex.org/C75291252","wikidata":"https://www.wikidata.org/wiki/Q1315756","display_name":"TRACE (psycholinguistics)","level":2,"score":0.25290000438690186},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.2526000142097473}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2604.21477","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.21477","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2604.21477","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.21477","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Model":[0],"Context":[1],"Protocol":[2],"(MCP)":[3],"is":[4],"increasingly":[5],"adopted":[6],"for":[7],"tool-integrated":[8],"LLM":[9],"agents,":[10],"but":[11,42],"its":[12],"multi-layer":[13],"design":[14],"and":[15,30,64,70,90,92,101,136,140,157,189,202,210,220],"third-party":[16],"server":[17,87],"ecosystem":[18],"expand":[19],"risks":[20],"across":[21],"tool":[22,224],"metadata,":[23],"untrusted":[24],"outputs,":[25],"cross-tool":[26,138],"flows,":[27],"multimodal":[28,102],"inputs,":[29],"supply-chain":[31],"vectors.":[32],"Existing":[33],"MCP":[34,49,68,223],"benchmarks":[35],"largely":[36],"measure":[37],"robustness":[38],"to":[39,155,164],"malicious":[40],"inputs":[41],"offer":[43],"limited":[44],"remediation":[45],"guidance.":[46],"We":[47,77],"present":[48],"Pitfall":[50,214],"Lab,":[51],"a":[52,106,167,178],"protocol-aware":[53],"security":[54],"testing":[55],"framework":[56,160],"that":[57],"operationalizes":[58],"developer":[59],"pitfalls":[60],"as":[61,145],"reproducible":[62],"scenarios":[63],"validates":[65],"outcomes":[66],"with":[67,85],"traces":[69],"objective":[71],"validators":[72],"(rather":[73],"than":[74],"agent":[75,192],"self-report).":[76],"instantiate":[78],"three":[79,94],"workflow":[80],"challenges":[81],"(email,":[82],"document,":[83],"crypto)":[84],"six":[86,115],"variants":[88,116],"(baseline":[89],"hardened)":[91],"model":[93],"attack":[95],"families:":[96],"tool-metadata":[97],"poisoning,":[98],"puppet":[99,190],"servers,":[100],"image-to-tool":[103,141],"chains,":[104],"in":[105,177,198],"unified,":[107],"trace-grounded":[108],"evaluation.":[109],"In":[110],"Tier-1":[111,152],"static":[112],"analysis":[113],"over":[114],"(36":[117],"binary":[118],"labels),":[119],"our":[120],"analyzer":[121],"achieves":[122],"F1":[123],"=":[124],"1.0":[125],"on":[126],"four":[127],"statically":[128],"checkable":[129],"pitfall":[130],"classes":[131],"(P1,":[132],"P2,":[133],"P5,":[134],"P6)":[135],"flags":[137],"forwarding":[139],"leakage":[142],"(P3,":[143],"P4)":[144],"trace/dataflow-dependent.":[146],"Applying":[147],"recommended":[148],"hardening":[149,221],"eliminates":[150],"all":[151],"findings":[153],"(29":[154],"0)":[156],"reduces":[158],"the":[159,183],"risk":[161],"score":[162],"(10.0":[163],"0.0)":[165],"at":[166],"mean":[168],"cost":[169],"of":[170,173,200,204,222],"27":[171],"lines":[172],"code":[174],"(LOC).":[175],"Finally,":[176],"preliminary":[179],"19-run":[180],"corpus":[181],"from":[182,195],"email":[184],"system":[185],"challenge":[186],"(tool":[187],"poisoning":[188],"attacks),":[191],"narratives":[193],"diverge":[194],"trace":[196],"evidence":[197],"63.2%":[199],"runs":[201],"100%":[203],"sink-action":[205],"runs,":[206],"motivating":[207],"trace-based":[208],"auditing":[209],"regression":[211],"testing.":[212],"Overall,":[213],"Lab":[215],"enables":[216],"practical,":[217],"end-to-end":[218],"assessment":[219],"servers":[225],"under":[226],"realistic":[227],"multi-vector":[228],"conditions.":[229]},"counts_by_year":[],"updated_date":"2026-04-25T06:06:54.107920","created_date":"2026-04-25T00:00:00"}