IntentMiner: Intent Inversion Attack via Tool Call Analysis in the Model Context Protocol

TL;DR

This paper reveals a privacy vulnerability in Large Language Model-based AI agents, showing that third-party servers can infer user intent through tool call analysis, and introduces IntentMiner to accurately reconstruct intents.

Contribution

The paper introduces IntentMiner, a hierarchical semantic parsing method that effectively infers user intent from tool call metadata, exposing a new privacy threat in MCP-based AI systems.

Findings

IntentMiner achieves over 85% semantic alignment with original queries.

It surpasses baseline methods in intent reconstruction accuracy.

The work exposes endogenous privacy vulnerabilities in LLM agent architectures.

Abstract

The evolution of Large Language Models (LLMs) into Agentic AI has established the Model Context Protocol (MCP) as the standard for connecting reasoning engines with external tools. Although this decoupled architecture fosters modularity, it simultaneously shatters the traditional trust boundary. We uncover a novel privacy vector inherent to this paradigm: the Intent Inversion Attack. We show that semi-honest third-party MCP servers can accurately reconstruct users' underlying intents by leveraging only authorized metadata (e.g., function signatures, arguments, and receipts), effectively bypassing the need for raw query access. To quantify this threat, we introduce IntentMiner. Unlike statistical approaches, IntentMiner employs a hierarchical semantic parsing strategy that performs step-level intent reconstruction by analyzing tool functions, parameter entities, and result feedback in an orthogonal manner. Experiments on the ToolACE benchmark reveal that IntentMiner achieves a semantic alignment of over 85% with original queries, substantially surpassing LLM baselines. This work exposes a critical endogenous vulnerability: without semantic obfuscation, executing functions requires the transparency of intent, thereby challenging the privacy foundations of next-generation AI agents.