Listen to this Post

Introduction:
The rapid adoption of AI agent protocols—MCP, A2A, ANP, and ACP—has created a fragmented security landscape where individual protocol safeguards fail when systems are composed together. Recent security assurance reviews by Shenghan Zheng and teams from Palo Alto Networks and Meta have exposed 35 specification-level findings and 80 implementation tests against production SDKs, with 30 additional failures that emerge only under protocol composition. The core problem: no single control spans the full execution path when agents communicate across protocol boundaries, creating responsibility gaps that attackers can exploit.
Learning Objectives:
- Understand the composition safety problem in multi-agent AI protocols and why individual protocol security does not guarantee composed-system security
- Identify specific attack vectors in MCP↔ACP-Client compositions, including sanitization failures, local-action control gaps, and cross-protocol behavior inconsistencies
- Implement practical mitigation strategies including content isolation, policy enforcement proxies, and audit logging across protocol boundaries
1. Understanding Protocol Composition Risks: The MCP↔ACP-Client Case
The most common and dangerous composition scenario involves Model Context Protocol (MCP) servers communicating with Agent Client Protocol (ACP) clients. MCP serves as the “USB-C for Agentic AI,” connecting LLMs to external tools and data sources. ACP standardizes communication between code editors and coding agents that use generative AI to autonomously modify code.
When these protocols compose, sanitization responsibilities, local-action controls, and cross-protocol behavior enforcement are spread across different parties with no single authority over the full path. The MCP specification (revision 2025-06-18) encodes all messages in JSON-RPC 2.0 over stdio or Streamable HTTP transports. ACP adds its own JSON-RPC layer, creating a nested trust boundary where neither protocol can verify what happens at the other layer.
Step-by-Step Composition Risk Assessment:
- Map the trust chain: Identify all protocol layers in your agent workflow (host → MCP client → MCP server → ACP client → ACP agent). Document which party controls each layer.
-
Audit credential propagation: Check if tokens from one protocol are passed未经校验 to downstream APIs. The MCP spec explicitly forbids token passthrough.
-
Test cross-protocol injection: Send malicious tool outputs from an MCP server to an ACP client and observe if they influence agent behavior.
-
Verify audit completeness: Ensure logs distinguish actions by protocol layer and agent identity.
-
Implement content isolation: Configure quarantine summarization for MCP tool results flowing through ACP-serving sessions to prevent confused-deputy attacks.
-
The 35 Specification Findings and 80 Implementation Tests
The Palo Alto Networks and Meta security assurance review systematically evaluated five agent protocols against a comprehensive framework. The Agent Protocol Stack (APS), a 6-layer architectural model analogous to ITU-T X.800 for OSI, was used to assess completeness across transport security, authentication, authorization, consent, audit, and composition safety.
Key Findings:
- Only one protocol enforces a security-relevant control in practice
- No protocol enforces cross-protocol behavior
- 30 failures emerge exclusively under protocol composition
- Recurrent gaps identified in credential lifecycle management, consent enforcement, audit completeness, and composition safety
Implementation Test Commands:
To test your own MCP/ACP implementations:
Test MCP server STDIO injection vulnerability (OX Security April 2026 disclosure)
Affects 7,000+ public servers, 150M+ downloads
echo '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"$(id)"}}' | \
nc -U /tmp/mcp-server.sock
Audit MCP environment variable blocklist (GitHub PR 2436)
Check if dangerous vars are filtered: LD_PRELOAD, LD_LIBRARY_PATH, DYLD_
grep -r "is_dangerous_env_var" /path/to/mcp-bridge.rs
Test ACP JWS enforcement (optional JWS = high-impact integrity flaws)
Verify if your ACP implementation validates signatures
curl -X POST http://localhost:8080/acp/v1/tool \
-H "Content-Type: application/json" \
-d '{"tool":"read_file","params":{"path":"/etc/passwd"}}'
3. Credential Lifecycle and Identity Gaps
Agents operating without proper identity creates systemic security failures. There is no universal way to distinguish an AI agent from a human actor. When you connect MCP-compatible agents to systems, they receive “god mode”—full access to every tool the server exposes with the same credentials as the user.
The Identity Problem:
- No audit trail: Agent actions are indistinguishable from human actions in logs
- No revocation: Once an agent has credentials, no standard way to revoke them
- No authorization granularity: Access is all-or-1othing at the API key level
- Compliance blind spots: SOC 2, GDPR, HIPAA, and SOX requirements unmet for agentic actions
Mitigation Commands:
Deploy Agent Identity Protocol (AIP) proxy for MCP AIP adds policy-based authorization at the tool-call layer docker run -d -p 8080:8080 \ -v /path/to/policies:/policies \ openagentidentityprotocol/aip-proxy Configure AIP with policy enforcement cat > /etc/aip/policy.yaml <<EOF policies: - resource: "file://" actions: ["read"] require_approval: true - resource: "cmd://" actions: ["exec"] require_approval: true max_args: 2 EOF Enable AIP audit logging export AIP_AUDIT_LEVEL=verbose export AIP_LOG_FILE=/var/log/aip-audit.log
4. Content Injection and Tool Poisoning
MCP servers are code that runs near your data. Tool descriptions and schemas become part of the prompt—anything in a tool description, parameter name, or response can become an instruction to your model. CyberArk demonstrated that “no output from your MCP server is safe”.
Attack Vectors:
- Indirect Prompt Injection: Malicious instructions embedded in documents, emails, or data hijack agent behavior
- Tool Shadowing: One malicious server becomes a steering wheel for every other server’s credentials
- Tool Poisoning: Malicious descriptions/annotations in server definitions
Defensive Commands:
Deploy MCP security wrapper (trailofbits/mcp-context-protector) Replaces PATH with minimal set when launching MCP servers mcp-context-protector --config config.yaml \ --server-command "python3" \ --server-args "my_mcp_server.py" \ --sandbox-path "/usr/local/bin:/bin" Enable content isolation for MCP→ACP boundaries In agent config file: [security.content_isolation] enabled = true max_content_size = 1024000 flag_injection_patterns = true quarantine.enabled = true mcp_to_acp_boundary = true Scan MCP server for hidden malicious instructions mcp-scan --server http://localhost:3000 \ --detect-prompt-injection \ --detect-tool-shadowing \ --output-json report.json
5. Cross-Protocol Audit Visibility
Comprehensive visibility is essential for security. For auditing purposes, every request, response, and action must be logged. Yet only 24.4% of organizations report full visibility into agent interactions, and only 47.1% of deployed agents are actively monitored.
Audit Implementation:
Deploy AgentWard for policy enforcement and audit trails pip install agentward agentward --config agentward.yaml \ --mcp-server localhost:3000 \ --policy-file /etc/agentward/policies.yaml \ --audit-log /var/log/agentward-audit.log Sample policy for MCP tool calls cat > /etc/agentward/policies.yaml <<EOF policies: - name: "restrict_file_access" match: protocol: "MCP" tool: "read_file" action: "allow" conditions: - path: "^/data/." audit: log_full_payload: true notify_security: true EOF Enable structured logging for MCP servers export MCP_LOG_FORMAT=json export MCP_LOG_LEVEL=debug export MCP_AUDIT_ENABLED=true
6. The Composition Contracts Debate
The authors of the security review propose composition contracts and enforcement responsibility for runtimes. However, implementation faces practical challenges in the current “protocols war” stage where standards are rapidly evolving.
What Undercode Say:
- Composition failures are hard to fix—they often survive the normal disclosure pipeline because the responsibility chain has no clear endpoint
- Only transport security is consistently complete across all protocols; higher layers (authorization, consent, audit) remain fragmented
- The proposed composition contracts may not be implementable in practice at this stage of protocol development
- Cross-protocol design gaps cannot be detected by individual protocol analysis
- The security community must shift focus from single-protocol security to composed-system security
Expected Output:
The industry faces a critical choice: either establish enforceable composition contracts with clear responsibility boundaries, or accept that multi-agent AI systems will remain fundamentally insecure. The 35 specification findings and 80 implementation tests demonstrate that current protocols were designed for isolation, not composition.
Prediction:
- -1 Organizations deploying multi-agent systems without cross-protocol security controls will experience significant security incidents within 12-18 months
- -1 The “protocols war” phase will delay standardization of composition safety by 2-3 years
- +1 Emergence of security gateway layers (like AIP and AgentWard) will become the de facto standard for production deployments
- +1 Formal verification methods (TLA+ model checking) will gain adoption for validating protocol compositions
- -1 The 7,000+ public MCP servers with 150M+ downloads represent a massive supply chain attack surface that will be exploited
- +1 Zero-knowledge audit frameworks will enable privacy-preserving verification of agent communications
- -1 Compliance frameworks (SOC 2, GDPR, HIPAA) will struggle to address agentic actions without clear identity and audit standards
- +1 The OWASP MCP Top 10 will drive awareness and best practices
- -1 Organizations that treat MCP servers as “chatbot plugins” rather than privileged dependencies will face data breaches
- +1 Cryptographic security layers (MCPS with agent identity verification and per-message signing) will become mandatory
▶️ Related Video (86% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Ilyakabanov Security – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


