In this work, we study security of Model Context Protocol (MCP) agent toolchains and their applications in smart homes. We introduce AegisMCP, a protocol-level intrusion detector. Our contributions are: (i) a minimal attack suite spanning instruction-driven escalation, chain-of-tool exfiltration, malicious MCP server registration, and persistence; (ii) NEBULA-Schema (Network-Edge Behavioral Learning for Untrusted LLM Agents), a reusable protocol-level instrumentation that represents MCP activity as a streaming heterogeneous temporal graph over agents, MCP servers, tools, devices, remotes, and sessions; and (iii) a CPU-only streaming detector that fuses novelty, session-DAG structure, and attribute cues for near-real-time edge inference, with optional fusion of local prompt-guardrail signals. On an emulated smart-home testbed spanning multiple MCP stacks and a physical bench, AegisMCP achieves sub-second per-window model inference and end-to-end alerting. The latency of AegisMCP is consistently sub-second on Intel N150-class edge hardware, while outperforming traffic-only and sequence baselines; ablations confirm the importance of DAG and install/permission signals. We release code, schemas, and generators for reproducible evaluation.

翻译：本研究探讨了模型上下文协议（MCP）智能体工具链及其在智能家居应用中的安全性。我们提出了AegisMCP，一种协议级别的入侵检测器。我们的贡献包括：（i）一套最小攻击测试集，涵盖指令驱动权限提升、工具链数据外泄、恶意MCP服务器注册及持久化攻击；（ii）NEBULA-Schema（面向不可信LLM智能体的网络边缘行为学习框架），一种可复用的协议级监测机制，将MCP活动表示为跨智能体、MCP服务器、工具、设备、远程节点及会话的流式异构时序图；（iii）支持仅用CPU的流式检测器，融合新颖性检测、会话有向无环图结构及属性线索，实现近实时边缘推理，并可选择性地融合本地提示防护信号。在覆盖多种MCP技术栈的模拟智能家居测试平台及物理实验台上，AegisMCP实现了亚秒级单窗口模型推理与端到端告警。在英特尔N150级边缘硬件上，AegisMCP的延迟始终保持在亚秒级，且性能优于纯流量检测与序列基线方法；消融实验证实了有向无环图结构及安装/权限信号的重要性。我们已公开代码、架构定义与生成器，以支持可复现的评估。