Tool-augmented LLM agents raise new security risks: tool executions can introduce runtime-only behaviors, including prompt injection and unintended exposure of external inputs (e.g., environment secrets or local files). While existing scanners often focus on static artifacts, analyzing runtime behavior is challenging because directly executing untrusted tools can itself be dangerous. We present MCP-SandboxScan, a lightweight framework motivated by the Model Context Protocol (MCP) that safely executes untrusted tools inside a WebAssembly/WASI sandbox and produces auditable reports of external-to-sink exposures. Our prototype (i) extracts LLM-relevant sinks from runtime outputs (prompt/messages and structured tool-return fields), (ii) instantiates external-input candidates from environment values, mounted file contents, and output-surfaced HTTP fetch intents, and (iii) links sources to sinks via snippet-based substring matching. Case studies on three representative tools show that MCP-SandboxScan can surface provenance evidence when external inputs appear in prompt/messages or tool-return payloads, and can expose filesystem capability violations as runtime evidence. We further compare against a lightweight static string-signature baseline and use a micro-benchmark to characterize false negatives under transformations and false positives from short-token collisions.

翻译：工具增强型LLM代理引发了新的安全风险：工具执行可能引入仅运行时可见的行为，包括提示注入和外部输入（如环境密钥或本地文件）的意外暴露。现有扫描器通常聚焦于静态产物，而分析运行时行为具有挑战性，因为直接执行不可信工具本身可能具有危险性。本文提出MCP-SandboxScan，这是一个受模型上下文协议（MCP）启发的轻量级框架，可在WebAssembly/WASI沙箱内安全执行不可信工具，并生成可审计的外部输入至接收点的暴露报告。我们的原型系统（i）从运行时输出（提示/消息和结构化工具返回字段）中提取LLM相关接收点，（ii）根据环境变量、挂载文件内容以及输出层暴露的HTTP获取意图实例化外部输入候选项，（iii）通过基于代码片段的子字符串匹配将源与接收点关联。针对三个代表性工具的案例研究表明，MCP-SandboxScan能够在外部输入出现在提示/消息或工具返回载荷时提供溯源证据，并可将文件系统权限违规作为运行时证据进行暴露。我们进一步与轻量级静态字符串签名基线进行比较，并通过微基准测试来表征变换下的漏报率和短令牌碰撞导致的误报率。