MCPShield: A Security Cognition Layer for Adaptive Trust Calibration in Model Context Protocol Agents

TL;DR

MCPShield introduces a security layer for LLM agents using the Model Context Protocol, enhancing trust calibration and defending against MCP-based attacks through metadata-guided validation and runtime reasoning.

Contribution

It presents MCPShield, a novel plug-in security cognition layer that improves security in MCP-based agent tool invocation by leveraging human-inspired validation and runtime analysis.

Findings

Successfully defends against six novel MCP-based attack scenarios

Maintains low false positives on benign servers

Imposes minimal deployment overhead

Abstract

The Model Context Protocol (MCP) standardizes tool use for LLM-based agents and enable third-party servers. This openness introduces a security misalignment: agents implicitly trust tools exposed by potentially untrusted MCP servers. However, despite its excellent utility, existing agents typically offer limited validation for third-party MCP servers. As a result, agents remain vulnerable to MCP-based attacks that exploit the misalignment between agents and servers throughout the tool invocation lifecycle. In this paper, we propose MCPShield as a plug-in security cognition layer that mitigates this misalignment and ensures agent security when invoking MCP-based tools. Drawing inspiration from human experience-driven tool validation, MCPShield assists agent forms security cognition with metadata-guided probing before invocation. Our method constrains execution within controlled boundaries while cognizing runtime events, and subsequently updates security cognition by reasoning over historical traces after invocation, building on human post-use reflection on tool behavior. Experiments demonstrate that MCPShield exhibits strong generalization in defending against six novel MCP-based attack scenarios across six widely used agentic LLMs, while avoiding false positives on benign servers and incurring low deployment overhead. Overall, our work provides a practical and robust security safeguard for MCP-based tool invocation in open agent ecosystems.