{"id":"https://openalex.org/W7162412584","doi":"https://doi.org/10.48550/arxiv.2605.24069","title":"When the Manual Lies: A Realistic Benchmark to Evaluate MCP Poisoning Attacks for LLM Agents","display_name":"When the Manual Lies: A Realistic Benchmark to Evaluate MCP Poisoning Attacks for LLM Agents","publication_year":2026,"publication_date":"2026-05-22","ids":{"openalex":"https://openalex.org/W7162412584","doi":"https://doi.org/10.48550/arxiv.2605.24069"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2605.24069","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.24069","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2605.24069","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5137015217","display_name":"Shi Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Shi","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5137017579","display_name":"Xuehai Tang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Tang, Xuehai","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5137017414","display_name":"Xikang Yang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yang, Xikang","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5137060870","display_name":"Liang Lin","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Lin, Liang","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5064648779","display_name":"Biyu Zhou","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhou, Biyu","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5137037684","display_name":"Wenjie Xiao","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xiao, Wenjie","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5011069823","display_name":"Wantao Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Wantao","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":7,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.4101000130176544,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.4101000130176544,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12026","display_name":"Explainable Artificial Intelligence (XAI)","score":0.07689999788999557,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.03590000048279762,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/executable","display_name":"Executable","score":0.6270999908447266},{"id":"https://openalex.org/keywords/sandbox","display_name":"Sandbox (software development)","score":0.5913000106811523},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.5889000296592712},{"id":"https://openalex.org/keywords/benchmark","display_name":"Benchmark (surveying)","score":0.5496000051498413},{"id":"https://openalex.org/keywords/covert","display_name":"Covert","score":0.47450000047683716},{"id":"https://openalex.org/keywords/attack-surface","display_name":"Attack surface","score":0.4553000032901764},{"id":"https://openalex.org/keywords/protocol","display_name":"Protocol (science)","score":0.4189999997615814},{"id":"https://openalex.org/keywords/computer-security-model","display_name":"Computer security model","score":0.3698999881744385}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7013999819755554},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6572999954223633},{"id":"https://openalex.org/C160145156","wikidata":"https://www.wikidata.org/wiki/Q778586","display_name":"Executable","level":2,"score":0.6270999908447266},{"id":"https://openalex.org/C167981075","wikidata":"https://www.wikidata.org/wiki/Q2667186","display_name":"Sandbox (software development)","level":2,"score":0.5913000106811523},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.5889000296592712},{"id":"https://openalex.org/C185798385","wikidata":"https://www.wikidata.org/wiki/Q1161707","display_name":"Benchmark (surveying)","level":2,"score":0.5496000051498413},{"id":"https://openalex.org/C2779338814","wikidata":"https://www.wikidata.org/wiki/Q5179285","display_name":"Covert","level":2,"score":0.47450000047683716},{"id":"https://openalex.org/C2776576444","wikidata":"https://www.wikidata.org/wiki/Q303569","display_name":"Attack surface","level":2,"score":0.4553000032901764},{"id":"https://openalex.org/C2780385302","wikidata":"https://www.wikidata.org/wiki/Q367158","display_name":"Protocol (science)","level":3,"score":0.4189999997615814},{"id":"https://openalex.org/C121822524","wikidata":"https://www.wikidata.org/wiki/Q5157582","display_name":"Computer security model","level":2,"score":0.3698999881744385},{"id":"https://openalex.org/C20136886","wikidata":"https://www.wikidata.org/wiki/Q749647","display_name":"Interoperability","level":2,"score":0.3677999973297119},{"id":"https://openalex.org/C2776214188","wikidata":"https://www.wikidata.org/wiki/Q408386","display_name":"Inference","level":2,"score":0.3467000126838684},{"id":"https://openalex.org/C177212765","wikidata":"https://www.wikidata.org/wiki/Q627335","display_name":"Workflow","level":2,"score":0.3456000089645386},{"id":"https://openalex.org/C83163435","wikidata":"https://www.wikidata.org/wiki/Q3954104","display_name":"Security management","level":2,"score":0.34220001101493835},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.32440000772476196},{"id":"https://openalex.org/C169900460","wikidata":"https://www.wikidata.org/wiki/Q2200417","display_name":"Cognition","level":2,"score":0.3230000138282776},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.31049999594688416},{"id":"https://openalex.org/C10144332","wikidata":"https://www.wikidata.org/wiki/Q14645","display_name":"Rootkit","level":3,"score":0.3068000078201294},{"id":"https://openalex.org/C184337299","wikidata":"https://www.wikidata.org/wiki/Q1437428","display_name":"Semantics (computer science)","level":2,"score":0.3041999936103821},{"id":"https://openalex.org/C12269588","wikidata":"https://www.wikidata.org/wiki/Q132364","display_name":"Communications protocol","level":2,"score":0.29589998722076416},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.27000001072883606},{"id":"https://openalex.org/C107457646","wikidata":"https://www.wikidata.org/wiki/Q207434","display_name":"Human\u2013computer interaction","level":1,"score":0.2556999921798706}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2605.24069","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.24069","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2605.24069","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.24069","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions","score":0.7825323939323425}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"The":[0],"rise":[1],"of":[2,123,214],"tool-using":[3],"Large":[4],"Language":[5],"Model":[6,14],"(LLM)":[7],"agents,":[8],"standardized":[9],"by":[10,27],"protocols":[11],"like":[12,133],"the":[13,43,80,102,169,196,209],"Context":[15],"Protocol":[16],"(MCP),":[17],"has":[18],"unlocked":[19],"unprecedented":[20],"autonomous":[21],"execution":[22],"capabilities":[23],"for":[24,87,202,207],"LLM":[25],"Agents":[26],"integrating":[28],"external":[29],"open-domain":[30],"knowledge":[31],"and":[32,90,94,158,186,211],"tools.":[33],"However,":[34],"this":[35,97],"interoperability":[36],"introduces":[37],"a":[38,56,68,136,176],"covert":[39],"attack":[40],"surface":[41],"targeting":[42],"agent's":[44],"cognitive":[45,210],"planning":[46,89,212],"layer.":[47],"This":[48,106,193],"paper":[49],"systematically":[50,95],"investigates":[51],"Tool":[52],"Description":[53],"Poisoning":[54],"(TDP),":[55],"novel":[57],"semantic":[58],"attack.":[59],"In":[60],"TDP,":[61,203],"malicious":[62,190],"instructions":[63],"are":[64,155],"not":[65],"embedded":[66],"in":[67,143],"tool's":[69],"executable":[70],"code,":[71],"but":[72],"rather":[73],"covertly":[74],"injected":[75],"into":[76],"its":[77,188],"descriptive":[78],"metadata,":[79],"very":[81],"\"manual\"":[82],"an":[83,182],"agent":[84,183],"relies":[85],"on":[86],"secure":[88],"decision-making.":[91],"To":[92],"rigorously":[93],"evaluate":[96],"emerging":[98],"threat,":[99],"we":[100,167,173],"introduce":[101],"MCP-TDP":[103],"Security":[104],"Benchmark.":[105],"high-fidelity":[107],"sandbox":[108],"environment":[109],"comprises":[110],"32":[111],"realistic,":[112],"real-world":[113],"test":[114],"cases":[115],"spanning":[116],"6":[117],"distinct":[118],"risk":[119],"categories.":[120],"Our":[121],"evaluation":[122],"8":[124],"mainstream":[125],"LLMs":[126],"reveals":[127],"severe":[128],"vulnerabilities,":[129],"with":[130],"leading":[131],"models":[132],"GPT-4o":[134],"exhibiting":[135],"nearly":[137],"100%":[138],"Attack":[139],"Success":[140],"Rate":[141],"(ASR)":[142],"six":[144],"high-risk":[145],"scenarios.":[146],"Furthermore,":[147],"our":[148],"findings":[149],"demonstrate":[150],"that":[151],"common":[152],"prompt-guardrail":[153],"defenses":[154],"largely":[156],"ineffective":[157],"can,":[159],"counterintuitively,":[160],"even":[161],"be":[162],"counterproductive":[163],"(a":[164],"phenomenon":[165],"which":[166],"term":[168],"\"Firewall":[170],"Fallacy\").":[171],"Crucially,":[172],"also":[174],"propose":[175],"defense":[177],"mechanism:":[178],"\"Reactive":[179],"Self-Correction,\"":[180],"where":[181],"autonomously":[184],"detects":[185],"reverts":[187],"own":[189],"actions":[191],"post-execution.":[192],"work":[194],"provides":[195],"first":[197],"specialized":[198],"security":[199],"benchmark":[200],"tailored":[201],"offering":[204],"essential":[205],"insights":[206],"securing":[208],"layers":[213],"advanced":[215],"agentic":[216],"systems.":[217]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-05-27T00:00:00"}