The Model Context Protocol (MCP) enables large language models to invoke external tools through natural-language descriptions, forming the foundation of many AI agent applications. However, MCP does not enforce consistency between documented tool behavior and actual code execution, even though MCP Servers often run with broad system privileges. This gap introduces a largely unexplored security risk. We study how mismatches between externally presented tool descriptions and underlying implementations systematically shape the mental models and decision-making behavior of intelligent agents. Specifically, we present the first large-scale study of description-code inconsistency in the MCP ecosystem. We design an automated static analysis framework and apply it to 10,240 real-world MCP Servers across 36 categories. Our results show that while most servers are highly consistent, approximately 13% exhibit substantial mismatches that can enable undocumented privileged operations, hidden state mutations, or unauthorized financial actions. We further observe systematic differences across application categories, popularity levels, and MCP marketplaces. Our findings demonstrate that description-code inconsistency is a concrete and prevalent attack surface in MCP-based AI agents, and motivate the need for systematic auditing and stronger transparency guarantees in future agent ecosystems.

翻译：模型上下文协议（Model Context Protocol, MCP）使大型语言模型能够通过自然语言描述调用外部工具，构成众多AI智能体应用的基础。然而，MCP并未强制要求文档记录的工具行为与实际代码执行之间的一致性，尽管MCP服务器通常以广泛的系统权限运行。这一差距带来了一个尚未被充分探索的安全风险。我们研究了外部呈现的工具描述与底层实现之间的不匹配如何系统性地影响智能体的心智模型与决策行为。具体而言，我们首次对MCP生态系统中描述与代码不一致现象进行了大规模研究。我们设计了一个自动化静态分析框架，并将其应用于涵盖36个类别的10,240个真实世界MCP服务器。结果显示，虽然大多数服务器具有高度一致性，但约13%的服务器存在显著的不匹配，这些不匹配可能导致未记录的权限操作、隐藏的状态变更或未经授权的金融行为。我们进一步观察到不同应用类别、流行度级别及MCP市场之间存在系统性差异。我们的研究表明，描述与代码不一致是基于MCP的AI智能体中一个具体且普遍存在的攻击面，这凸显了在未来智能体生态系统中进行系统性审计和建立更强透明度保障的必要性。