research(security): MCP/A2A protocol threat modeling — shadowing attacks, privilege escalation, coarse-grained tokens (arXiv:2602.11327)

[bug-ops]

Summary

arXiv:2602.11327 — Security Threat Modeling for Emerging AI-Agent Protocols: A Comparative Analysis of MCP, A2A, Agora, and ANP (February 11, 2026)

Systematic security threat model covering four agent protocols. Key attack vectors directly applicable to Zeph:

MCP threats:

• Tool shadowing: malicious server registers tools with names overlapping legitimate ones; client selects wrong tool
• Tool poisoning via description injection: malicious instructions embedded in description field influence model behavior
• Credential exfiltration: tools with filesystem/network access can leak vault secrets if execution is not sandboxed

A2A threats:

• Coarse-grained token privilege escalation: A2A tokens issued for one agent can be replayed to another agent in the same trust domain
• Agent impersonation: without cryptographic identity, rogue agents can claim legitimate identities during task delegation

Gap in Zeph:

• zeph-mcp: shadowing detection added (security(mcp): tool poisoning detection and per-tool trust metadata (#2459, #2420) #2472) but no cross-server deduplication of tool names; a malicious second server can shadow a tool from a trusted first server
• zeph-a2a: token scope is not per-task; a token obtained for subtask A can be presented for subtask B in the same session
• No cryptographic agent identity verification in either zeph-mcp or zeph-a2a

Proposed Improvements

1. Cross-server tool name collision detection in McpManager — flag or reject duplicate tool names across servers with different trust levels
2. Per-task token scoping in A2A delegation — bind token to task ID + agent endpoint
3. Optional agent identity signature verification (JWK/Ed25519) in A2A handshake

References

• Paper: https://arxiv.org/abs/2602.11327
• Related: research(security): cross-tool prompt injection taxonomy — 7 MCP clients evaluated, static validation insufficient (arXiv:2603.21642) #2480 (cross-tool injection taxonomy), research(security): OAP declarative pre-action authorization — 0% social engineering success, 53ms latency (arXiv:2603.20953) #2406 (OAP pre-action authorization), research(security): MCP tool poisoning threat model — multi-layered client-side mitigations (arXiv:2603.22489) #2459 (tool poisoning detection — merged)