research(security): MCP tool poisoning threat model — multi-layered client-side mitigations (arXiv:2603.22489)

[bug-ops]

Source

arXiv:2603.22489 — Model Context Protocol Threat Modeling and Analyzing Vulnerabilities to Prompt Injection with Tool Poisoning (March 23, 2026)

Key Contribution

Threat-models MCP clients specifically. Identifies tool poisoning as the critical client-side attack vector (malicious tool descriptions injecting instructions into the agent's context). Evaluates 7 MCP clients' defenses and proposes a multi-layered mitigation strategy: description sanitization, trust scoring, runtime policy enforcement, and audit logging.

Relevance to Zeph

Directly targets zeph-mcp and zeph-tools:

• Zeph is an MCP client — tool poisoning applies to every ToolExecutor and sanitize_tools() path
• PR feat(mcp): implement MCP Roots protocol and cap tool descriptions (#2445, #2450) #2454 (MCP Roots) and existing sanitize.rs truncation are partial mitigations
• The paper's multi-layer defense model maps onto Zeph's existing trust score + audit log architecture
• Informs and extends open issue security(tools): adversarial policy agent — pre-execution LLM validation of tool calls against user-defined policies #2447 (adversarial policy agent)

Implementation Sketch

1. Add structured tool-description threat category to TrustScoreStore (penalize injection patterns)
2. Cross-reference with ContentSanitizer — apply quarantine-style scanning to tool descriptions at ingest
3. Integrate paper's policy labels into sanitize_tools() output annotations
4. Related: security(tools): adversarial policy agent — pre-execution LLM validation of tool calls against user-defined policies #2447 (pre-execution LLM policy validation), research(security): MCP tool trust/confidentiality metadata — capability labels + STPA-based data-flow policy (arXiv:2601.08012) #2420 (MCP trust/confidentiality metadata)

Priority

P2 — active attack surface in production MCP client code; paper directly maps to Zeph's architecture.