Large language models(LLMs) are increasingly integrated with external systems through the Model Context Protocol(MCP),which standardizes tool invocation and has rapidly become a backbone for LLM-powered applications. While this paradigm enhances functionality,it also introduces a fundamental security shift:LLMs transition from passive information processors to autonomous orchestrators of task-oriented toolchains,expanding the attack surface,elevating adversarial goals from manipulating single outputs to hijacking entire execution flows. In this paper,we identify and characterize a systematic privacy-leakage attack pattern,termed Parasitic Toolchain Attacks,instantiated as MCP Unintended Privacy Disclosure(MCP-UPD). These attacks require no direct victim interaction;instead,adversaries embed malicious instructions into external data sources that LLMs access during legitimate tasks. Unlike traditional prompt injection and tool poisoning attacks,our attack targets the interconnected toolchain itself,assembling multiple legitimate tools into a coordinated workflow whose combined behavior accomplishes malicious objectives. In MCP-UPD,the malicious logic infiltrates the toolchain and unfolds in three phases:Parasitic Ingestion,Privacy Collection,and Privacy Disclosure,culminating in stealthy exfiltration of private data. Our root cause analysis reveals that MCP lacks both context-tool isolation and least-privilege enforcement,enabling adversarial instructions to propagate unchecked into sensitive tool invocations. To assess the severity,we design MCP-SEC and conduct the first large-scale security census of the MCP ecosystem,analyzing 12230 tools across 1360 servers. Our findings show that the MCP ecosystem is rife with real-world exploitable gadgets and diverse attack methods,underscoring systemic risks in MCP platforms and the urgent need for defense mechanisms in LLM-integrated environments.

翻译：大语言模型（LLMs）通过与外部系统集成而日益普遍，这种集成基于模型上下文协议（MCP），该协议标准化了工具调用，并迅速成为LLM驱动应用的支柱。虽然这种范式增强了功能，但也引入了根本性的安全转变：LLMs从被动的信息处理者转变为面向任务的工具链的自主编排者，从而扩大了攻击面，并将对抗目标从操纵单一输出提升到劫持整个执行流程。本文识别并系统描述了一种称为寄生工具链攻击的隐私泄露攻击模式，该模式具体表现为MCP非预期隐私泄露（MCP-UPD）。这些攻击无需直接与受害者交互；相反，攻击者将恶意指令嵌入到LLMs在执行合法任务时所访问的外部数据源中。与传统的提示注入和工具投毒攻击不同，我们的攻击针对的是互连接的工具链本身，将多个合法工具组装成一个协调的工作流，其组合行为实现了恶意目标。在MCP-UPD中，恶意逻辑渗透进工具链并分三个阶段展开：寄生摄取、隐私收集和隐私披露，最终实现私密数据的隐蔽外泄。我们的根因分析表明，MCP缺乏上下文与工具的隔离以及最小权限的强制执行，使得对抗指令能够不受限制地传播到敏感的工具调用中。为了评估严重性，我们设计了MCP-SEC，并对MCP生态系统进行了首次大规模安全普查，分析了涵盖1360个服务器中的12230个工具。我们的研究结果表明，MCP生态系统充斥着真实世界可利用的小工具和多样化的攻击方法，突显了MCP平台中的系统性风险以及在LLM集成环境中建立防御机制的迫切需要。