Overthinking Loops in Agents: A Structural Risk via MCP Tools

TL;DR

This paper reveals a structural risk in tool-using LLM agents where malicious tools can induce overthinking loops, significantly inflating resource use and degrading task performance, highlighting the need for structural defenses.

Contribution

It formalizes the concept of structural overthinking attacks in tool-using LLM agents and demonstrates their impact through practical implementations and evaluations.

Findings

Malicious tools can cause up to 142.4x token inflation.

Overthinking loops degrade task outcomes.

Decoding-time concision controls are ineffective against loops.

Abstract

Tool-using LLM agents increasingly coordinate real workloads by selecting and chaining third-party tools based on text-visible metadata such as tool names, descriptions, and return messages. We show that this convenience creates a supply-chain attack surface: a malicious MCP tool server can be co-registered alongside normal tools and induce overthinking loops, where individually trivial or plausible tool calls compose into cyclic trajectories that inflate end-to-end tokens and latency without any single step looking abnormal. We formalize this as a structural overthinking attack, distinguishable from token-level verbosity, and implement 14 malicious tools across three servers that trigger repetition, forced refinement, and distraction. Across heterogeneous registries and multiple tool-capable models, the attack causes severe resource amplification (up to $142.4\times$ tokens) and can degrade task outcomes. Finally, we find that decoding-time concision controls do not reliably prevent loop induction, suggesting defenses should reason about tool-call structure rather than tokens alone.