research(security): SMCP — formal security hardening for MCP lifecycle (tool poisoning, stolen credentials, privilege escalation) (arXiv:2602.01129)

[bug-ops]

Summary

arXiv:2602.01129 — SMCP: Secure Model Context Protocol (February 2026)

Proposes concrete security hardening for the full MCP lifecycle. Covers five attack classes with mitigations:

1. Tool poisoning — malicious description/annotations fields steer model execution; mitigation: strip/sanitize fields before model sees them (partially addressed in security(mcp): tool poisoning detection and per-tool trust metadata (#2459, #2420) #2472)
2. Prompt injection via tool output — tool results containing adversarial instructions; mitigation: output sandboxing with intent anchor (see also research(security): VIGIL verify-before-commit for tool output streams — 22% attack reduction, intent-anchored sanitization (arXiv:2601.05755) #2306 VIGIL)
3. Fake installer / supply chain — SMCP proposes package signing for MCP server distribution
4. Stolen credentials — MCP servers with env/filesystem access can exfiltrate API keys; mitigation: per-server secret namespace isolation
5. Privilege escalation — server upgrades own permissions via tool call side-effects; mitigation: immutable capability grant at connection time

Gap in Zeph (zeph-mcp):

• Tool output is currently passed to the LLM without intent-anchoring — vulnerable to injection via tool result
• No per-MCP-server secret namespace; all servers share the same environment view
• Capability grant is checked at invocation but not immutably fixed at connection time (server could advertise new tools after auth)

Proposed Improvements

1. Apply VIGIL-style intent anchor to MCP tool output before inserting into context (research(security): VIGIL verify-before-commit for tool output streams — 22% attack reduction, intent-anchored sanitization (arXiv:2601.05755) #2306 research backing)
2. Namespace MCP server env access: each server only sees a restricted env slice based on declared capability
3. Snapshot and lock tool list at connection time; refuse re-registration mid-session

References

• Paper: https://arxiv.org/abs/2602.01129
• Related: security(mcp): tool poisoning detection and per-tool trust metadata (#2459, #2420) #2472 (tool poisoning detection — merged), research(security): MCP/A2A protocol threat modeling — shadowing attacks, privilege escalation, coarse-grained tokens (arXiv:2602.11327) #2496 (MCP/A2A threat modeling), research(security): VIGIL verify-before-commit for tool output streams — 22% attack reduction, intent-anchored sanitization (arXiv:2601.05755) #2306 (VIGIL intent anchor)