The Model Context Protocol (MCP) standardizes tool use for LLM-based agents and enable third-party servers. This openness introduces a security misalignment: agents implicitly trust tools exposed by potentially untrusted MCP servers. However, despite its excellent utility, existing agents typically offer limited validation for third-party MCP servers. As a result, agents remain vulnerable to MCP-based attacks that exploit the misalignment between agents and servers throughout the tool invocation lifecycle. In this paper, we propose MCPShield as a plug-in security cognition layer that mitigates this misalignment and ensures agent security when invoking MCP-based tools. Drawing inspiration from human experience-driven tool validation, MCPShield assists agent forms security cognition with metadata-guided probing before invocation. Our method constrains execution within controlled boundaries while cognizing runtime events, and subsequently updates security cognition by reasoning over historical traces after invocation, building on human post-use reflection on tool behavior. Experiments demonstrate that MCPShield exhibits strong generalization in defending against six novel MCP-based attack scenarios across six widely used agentic LLMs, while avoiding false positives on benign servers and incurring low deployment overhead. Overall, our work provides a practical and robust security safeguard for MCP-based tool invocation in open agent ecosystems.

翻译：模型上下文协议（MCP）为标准化的基于大语言模型的代理工具使用及第三方服务器接入提供了框架。这种开放性引入了安全错位问题：代理会隐式信任由潜在不可信的MCP服务器所暴露的工具。然而，尽管现有代理具有出色的实用性，它们通常对第三方MCP服务器提供的验证机制有限。因此，代理在整个工具调用生命周期中容易受到基于MCP的攻击，这些攻击利用了代理与服务器之间的安全错位。本文提出MCPShield作为一种插件式安全认知层，旨在缓解这种错位并确保代理在调用基于MCP的工具时的安全性。受人类经验驱动的工具验证机制启发，MCPShield通过元数据引导的调用前探测，协助代理形成安全认知。该方法将执行约束在受控边界内，同时感知运行时事件，并基于人类对工具使用后的行为反思机制，在调用后通过对历史轨迹的推理来更新安全认知。实验表明，MCPShield在防御六种广泛使用的代理式大语言模型上的六种新型基于MCP的攻击场景时表现出强大的泛化能力，同时避免对良性服务器产生误报，且部署开销较低。总体而言，我们的工作为开放代理生态系统中基于MCP的工具调用提供了一种实用且鲁棒的安全保障机制。