The Model Context Protocol (MCP) has emerged as the de facto standard for connecting Large Language Models (LLMs) to external data and tools, effectively functioning as the "USB-C for Agentic AI." While this decoupling of context and execution solves critical interoperability challenges, it introduces a profound new threat landscape where the boundary between epistemic errors (hallucinations) and security breaches (unauthorized actions) dissolves. This Systematization of Knowledge (SoK) aims to provide a comprehensive taxonomy of risks in the MCP ecosystem, distinguishing between adversarial security threats (e.g., indirect prompt injection, tool poisoning) and epistemic safety hazards (e.g., alignment failures in distributed tool delegation). We analyze the structural vulnerabilities of MCP primitives, specifically Resources, Prompts, and Tools, and demonstrate how "context" can be weaponized to trigger unauthorized operations in multi-agent environments. Furthermore, we survey state-of-the-art defenses, ranging from cryptographic provenance (ETDI) to runtime intent verification, and conclude with a roadmap for securing the transition from conversational chatbots to autonomous agentic operating systems.

翻译：模型上下文协议（MCP）已成为连接大型语言模型（LLMs）与外部数据及工具的事实标准，实质上充当了“智能体人工智能的USB-C接口”。尽管这种上下文与执行的解耦解决了关键的互操作性挑战，但它引入了一个深刻的新威胁格局，其中认知错误（幻觉）与安全漏洞（未授权操作）之间的界限变得模糊。本知识系统化研究旨在提供MCP生态系统中风险的全面分类，区分对抗性安全威胁（例如间接提示注入、工具污染）与认知性安全风险（例如分布式工具委托中的对齐失败）。我们分析了MCP原语（特别是资源、提示和工具）的结构性漏洞，并演示了“上下文”如何被武器化以在多智能体环境中触发未授权操作。此外，我们综述了从密码学来源验证（ETDI）到运行时意图验证等前沿防御技术，最后提出了一个路线图，以保障从对话式聊天机器人向自主智能体操作系统的安全过渡。