Source
arXiv:2603.12230 — Security Considerations for Artificial Intelligence Agents (2026-03-12, Perplexity/NIST response)
Technique
Systematic analysis of attack surfaces across input/model/execution layers with emphasis on:
Confused-deputy problem in agents: When an agent simultaneously holds two trust levels (e.g., acts as a trusted server to one party and an untrusted client to another), a malicious input from the untrusted side can exploit the agent's trusted credentials on the other side.
Privilege control gaps identified:
- Agents executing tool calls with the same privilege as the user (no least-privilege)
- MCP passthrough creating implicit privilege amplification
- Multi-agent handoffs leaking credentials across trust boundaries
Assessment methodology: Structured privilege audit across 8 agent architectures. Identifies where each architecture has privilege boundary gaps.
Applicability to Zeph — Specific gap
Zeph in ACP+MCP configuration acts as:
- ACP server — trusted by Zed IDE (has filesystem, terminal capabilities)
- MCP client — connects to external MCP servers (untrusted third-party tools)
A malicious MCP server could craft a tool response that, when processed by Zeph's ACP layer, causes Zeph to use its trusted ACP credentials to perform actions on behalf of the attacker.
Current mitigations in Zeph:
ContentIsolation + spotlight_untrusted = true — partially mitigatesExfiltrationGuard — prevents URL-based exfiltration- MCP
trust_level = "untrusted" + tool_allowlist — per-server trust
Gap: No explicit privilege boundary enforcement between MCP response processing and ACP capability invocation paths. No audit trail linking MCP tool calls to ACP actions in the same turn.
Implementation sketch
- Audit
zeph-acp/src/ for any code path that processes MCP tool results and then invokes ACP capabilities
- Ensure MCP tool results entering the ACP-serving path are treated as untrusted content (equivalent to
spotlight_untrusted)
- Add cross-subsystem audit log entry when MCP result influences an ACP capability invocation
- Config:
[security.content_isolation] mcp_to_acp_boundary = true
Related
Source
arXiv:2603.12230 — Security Considerations for Artificial Intelligence Agents (2026-03-12, Perplexity/NIST response)
Technique
Systematic analysis of attack surfaces across input/model/execution layers with emphasis on:
Confused-deputy problem in agents: When an agent simultaneously holds two trust levels (e.g., acts as a trusted server to one party and an untrusted client to another), a malicious input from the untrusted side can exploit the agent's trusted credentials on the other side.
Privilege control gaps identified:
Assessment methodology: Structured privilege audit across 8 agent architectures. Identifies where each architecture has privilege boundary gaps.
Applicability to Zeph — Specific gap
Zeph in ACP+MCP configuration acts as:
A malicious MCP server could craft a tool response that, when processed by Zeph's ACP layer, causes Zeph to use its trusted ACP credentials to perform actions on behalf of the attacker.
Current mitigations in Zeph:
ContentIsolation+spotlight_untrusted = true— partially mitigatesExfiltrationGuard— prevents URL-based exfiltrationtrust_level = "untrusted"+tool_allowlist— per-server trustGap: No explicit privilege boundary enforcement between MCP response processing and ACP capability invocation paths. No audit trail linking MCP tool calls to ACP actions in the same turn.
Implementation sketch
zeph-acp/src/for any code path that processes MCP tool results and then invokes ACP capabilitiesspotlight_untrusted)[security.content_isolation] mcp_to_acp_boundary = trueRelated
[security.content_isolation] spotlight_untrusted = true