Agent Protocol Composition: The Invisible Security Crisis in Multi-Agent AI Systems + Video

Listen to this Post

Featured Image

Introduction:

The rapid adoption of AI agent protocols—MCP, A2A, ANP, and ACP—has created a fragmented security landscape where individual protocol safeguards fail when systems are composed together. Recent security assurance reviews by Shenghan Zheng and teams from Palo Alto Networks and Meta have exposed 35 specification-level findings and 80 implementation tests against production SDKs, with 30 additional failures that emerge only under protocol composition. The core problem: no single control spans the full execution path when agents communicate across protocol boundaries, creating responsibility gaps that attackers can exploit.

Learning Objectives:

  • Understand the composition safety problem in multi-agent AI protocols and why individual protocol security does not guarantee composed-system security
  • Identify specific attack vectors in MCP↔ACP-Client compositions, including sanitization failures, local-action control gaps, and cross-protocol behavior inconsistencies
  • Implement practical mitigation strategies including content isolation, policy enforcement proxies, and audit logging across protocol boundaries

1. Understanding Protocol Composition Risks: The MCP↔ACP-Client Case

The most common and dangerous composition scenario involves Model Context Protocol (MCP) servers communicating with Agent Client Protocol (ACP) clients. MCP serves as the “USB-C for Agentic AI,” connecting LLMs to external tools and data sources. ACP standardizes communication between code editors and coding agents that use generative AI to autonomously modify code.

When these protocols compose, sanitization responsibilities, local-action controls, and cross-protocol behavior enforcement are spread across different parties with no single authority over the full path. The MCP specification (revision 2025-06-18) encodes all messages in JSON-RPC 2.0 over stdio or Streamable HTTP transports. ACP adds its own JSON-RPC layer, creating a nested trust boundary where neither protocol can verify what happens at the other layer.

Step-by-Step Composition Risk Assessment:

  1. Map the trust chain: Identify all protocol layers in your agent workflow (host → MCP client → MCP server → ACP client → ACP agent). Document which party controls each layer.

  2. Audit credential propagation: Check if tokens from one protocol are passed未经校验 to downstream APIs. The MCP spec explicitly forbids token passthrough.

  3. Test cross-protocol injection: Send malicious tool outputs from an MCP server to an ACP client and observe if they influence agent behavior.

  4. Verify audit completeness: Ensure logs distinguish actions by protocol layer and agent identity.

  5. Implement content isolation: Configure quarantine summarization for MCP tool results flowing through ACP-serving sessions to prevent confused-deputy attacks.

  6. The 35 Specification Findings and 80 Implementation Tests

The Palo Alto Networks and Meta security assurance review systematically evaluated five agent protocols against a comprehensive framework. The Agent Protocol Stack (APS), a 6-layer architectural model analogous to ITU-T X.800 for OSI, was used to assess completeness across transport security, authentication, authorization, consent, audit, and composition safety.

Key Findings:

  • Only one protocol enforces a security-relevant control in practice
  • No protocol enforces cross-protocol behavior
  • 30 failures emerge exclusively under protocol composition
  • Recurrent gaps identified in credential lifecycle management, consent enforcement, audit completeness, and composition safety

Implementation Test Commands:

To test your own MCP/ACP implementations:

 Test MCP server STDIO injection vulnerability (OX Security April 2026 disclosure)
 Affects 7,000+ public servers, 150M+ downloads
echo '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"$(id)"}}' | \
nc -U /tmp/mcp-server.sock

Audit MCP environment variable blocklist (GitHub PR 2436)
 Check if dangerous vars are filtered: LD_PRELOAD, LD_LIBRARY_PATH, DYLD_
grep -r "is_dangerous_env_var" /path/to/mcp-bridge.rs

Test ACP JWS enforcement (optional JWS = high-impact integrity flaws)
 Verify if your ACP implementation validates signatures
curl -X POST http://localhost:8080/acp/v1/tool \
-H "Content-Type: application/json" \
-d '{"tool":"read_file","params":{"path":"/etc/passwd"}}'

3. Credential Lifecycle and Identity Gaps

Agents operating without proper identity creates systemic security failures. There is no universal way to distinguish an AI agent from a human actor. When you connect MCP-compatible agents to systems, they receive “god mode”—full access to every tool the server exposes with the same credentials as the user.

The Identity Problem:

  • No audit trail: Agent actions are indistinguishable from human actions in logs
  • No revocation: Once an agent has credentials, no standard way to revoke them
  • No authorization granularity: Access is all-or-1othing at the API key level
  • Compliance blind spots: SOC 2, GDPR, HIPAA, and SOX requirements unmet for agentic actions

Mitigation Commands:

 Deploy Agent Identity Protocol (AIP) proxy for MCP
 AIP adds policy-based authorization at the tool-call layer
docker run -d -p 8080:8080 \
-v /path/to/policies:/policies \
openagentidentityprotocol/aip-proxy

Configure AIP with policy enforcement
cat > /etc/aip/policy.yaml <<EOF
policies:
- resource: "file://"
actions: ["read"]
require_approval: true
- resource: "cmd://"
actions: ["exec"]
require_approval: true
max_args: 2
EOF

Enable AIP audit logging
export AIP_AUDIT_LEVEL=verbose
export AIP_LOG_FILE=/var/log/aip-audit.log

4. Content Injection and Tool Poisoning

MCP servers are code that runs near your data. Tool descriptions and schemas become part of the prompt—anything in a tool description, parameter name, or response can become an instruction to your model. CyberArk demonstrated that “no output from your MCP server is safe”.

Attack Vectors:

  • Indirect Prompt Injection: Malicious instructions embedded in documents, emails, or data hijack agent behavior
  • Tool Shadowing: One malicious server becomes a steering wheel for every other server’s credentials
  • Tool Poisoning: Malicious descriptions/annotations in server definitions

Defensive Commands:

 Deploy MCP security wrapper (trailofbits/mcp-context-protector)
 Replaces PATH with minimal set when launching MCP servers
mcp-context-protector --config config.yaml \
--server-command "python3" \
--server-args "my_mcp_server.py" \
--sandbox-path "/usr/local/bin:/bin"

Enable content isolation for MCP→ACP boundaries
 In agent config file:
 [security.content_isolation]
 enabled = true
 max_content_size = 1024000
 flag_injection_patterns = true
 quarantine.enabled = true
 mcp_to_acp_boundary = true

Scan MCP server for hidden malicious instructions
mcp-scan --server http://localhost:3000 \
--detect-prompt-injection \
--detect-tool-shadowing \
--output-json report.json

5. Cross-Protocol Audit Visibility

Comprehensive visibility is essential for security. For auditing purposes, every request, response, and action must be logged. Yet only 24.4% of organizations report full visibility into agent interactions, and only 47.1% of deployed agents are actively monitored.

Audit Implementation:

 Deploy AgentWard for policy enforcement and audit trails
pip install agentward
agentward --config agentward.yaml \
--mcp-server localhost:3000 \
--policy-file /etc/agentward/policies.yaml \
--audit-log /var/log/agentward-audit.log

Sample policy for MCP tool calls
cat > /etc/agentward/policies.yaml <<EOF
policies:
- name: "restrict_file_access"
match:
protocol: "MCP"
tool: "read_file"
action: "allow"
conditions:
- path: "^/data/."
audit:
log_full_payload: true
notify_security: true
EOF

Enable structured logging for MCP servers
export MCP_LOG_FORMAT=json
export MCP_LOG_LEVEL=debug
export MCP_AUDIT_ENABLED=true

6. The Composition Contracts Debate

The authors of the security review propose composition contracts and enforcement responsibility for runtimes. However, implementation faces practical challenges in the current “protocols war” stage where standards are rapidly evolving.

What Undercode Say:

  • Composition failures are hard to fix—they often survive the normal disclosure pipeline because the responsibility chain has no clear endpoint
  • Only transport security is consistently complete across all protocols; higher layers (authorization, consent, audit) remain fragmented
  • The proposed composition contracts may not be implementable in practice at this stage of protocol development
  • Cross-protocol design gaps cannot be detected by individual protocol analysis
  • The security community must shift focus from single-protocol security to composed-system security

Expected Output:

The industry faces a critical choice: either establish enforceable composition contracts with clear responsibility boundaries, or accept that multi-agent AI systems will remain fundamentally insecure. The 35 specification findings and 80 implementation tests demonstrate that current protocols were designed for isolation, not composition.

Prediction:

  • -1 Organizations deploying multi-agent systems without cross-protocol security controls will experience significant security incidents within 12-18 months
  • -1 The “protocols war” phase will delay standardization of composition safety by 2-3 years
  • +1 Emergence of security gateway layers (like AIP and AgentWard) will become the de facto standard for production deployments
  • +1 Formal verification methods (TLA+ model checking) will gain adoption for validating protocol compositions
  • -1 The 7,000+ public MCP servers with 150M+ downloads represent a massive supply chain attack surface that will be exploited
  • +1 Zero-knowledge audit frameworks will enable privacy-preserving verification of agent communications
  • -1 Compliance frameworks (SOC 2, GDPR, HIPAA) will struggle to address agentic actions without clear identity and audit standards
  • +1 The OWASP MCP Top 10 will drive awareness and best practices
  • -1 Organizations that treat MCP servers as “chatbot plugins” rather than privileged dependencies will face data breaches
  • +1 Cryptographic security layers (MCPS with agent identity verification and per-message signing) will become mandatory

▶️ Related Video (86% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Ilyakabanov Security – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky