In-depth study: MCP and A2A protocol analysis and security guide

• Read sensitive configuration file (~/.cursor/mcp.json)
• Access SSH private key (~/.ssh/id_rsa)
• Transport this data in a hidden manner through the sidenote parameter
• Use mathematical explanation to cover this point for users

Currently, many MCP Client implementations have not comprehensively reviewed and excluded malicious descriptions. MCP Client needs to clearly display the description and parameters of the MCP tool to users.

The A2A system using a multi-agent collaborative model also faces similar poisoning risks. Malicious Agents may send tasks containing malicious instructions to other Agents.

Another challenge of the A2A model is how to establish trust in multi-round task interactions. Attackers can trick Agents into executing operations they should not execute, such as requesting a script analyzer Agent to perform certain analyses on a script. After receiving a response (e.g., "This script deploys an application"), the attacker can guide the Agent and potentially discover sensitive information like the application's certificates. In this case, determining the authorization scope and access to tools is crucial.

3. Rug Pulls

Rug Pulls are another major threat in the AI Agent ecosystem. Such attacks establish seemingly legitimate services and build trust over time, but suddenly inject malicious instructions once widely adopted, causing harm.

The attack principle is as follows:

1. Malicious attacker deploys a genuinely valuable MCP service 2. Users install and enable the original MCP service with normal functionality; 3. The attacker injects malicious instructions in the MCP Server at a certain time; 4. Subsequently, users are attacked when using the tool.

This is a common attack method in software supply chain security, currently very common in MCP and A2A ecosystems, and the current MCP and A2A protocols lack consistency verification of remote server code, further increasing the risk of Rug Pulls.

Security Recommendations

1. Improve Permission Management

Currently, MCP supports the OAuth2.1 authorization authentication framework to ensure strict permission management between MCP clients and MCP servers, but the official does not mandate MCP services to enable OAuth authorization protection, nor provide clear permission level classification in the protocol, with everything needing to be implemented and secured by developers.

2. Input and Output Checking

Developers need to check the input and output of Agents and MCP tools to discover potential malicious instructions (such as file path access, obtaining sensitive data, modifying other tools, etc.)

3. Clear UI Display

Tool descriptions should be clearly visible and distinctly differentiate between user-visible and AI-visible instructions. For important parameters and permissions, the frontend should also provide intuitive security prompts.

4. Lock Software Version

MCP clients should lock the version of MCP servers and their tools to prevent unauthorized changes. Developers can verify using hash values or checksums before executing tool descriptions.

Future Outlook

MCP and A2A protocols may be important enablers for the combination of AI and Web3. Currently, many developers are exploring AI with decentralized finance (DeFAI) and AI Agent tokenization, and the standardized protocols of MCP and A2A can help them build more functional and intelligent AI+Web3 applications more efficiently.

Disclaimer: As a blockchain information platform, the articles published on this site represent only the personal views of the authors and guests, and are unrelated to Web3Caff's stance. The information in the article is for reference only and does not constitute any investment advice or offer, and please comply with the relevant laws and regulations of your country or region.