The Model Context Protocol (MCP) has emerged as the de facto standard for connecting Large Language Models (LLMs) to external data and tools, effectively functioning as the "USB-C for Agentic AI." While this decoupling of context and execution solves critical interoperability challenges, it introduces a profound new threat landscape where the boundary between epistemic errors (hallucinations) and security breaches (unauthorized actions) dissolves. This Systematization of Knowledge (SoK) aims to provide a comprehensive taxonomy of risks in the MCP ecosystem, distinguishing between adversarial security threats (e.g., indirect prompt injection, tool poisoning) and epistemic safety hazards (e.g., alignment failures in distributed tool delegation). We analyze the structural vulnerabilities of MCP primitives, specifically Resources, Prompts, and Tools, and demonstrate how "context" can be weaponized to trigger unauthorized operations in multi-agent environments. Furthermore, we survey state-of-the-art defenses, ranging from cryptographic provenance (ETDI) to runtime intent verification, and conclude with a roadmap for securing the transition from conversational chatbots to autonomous agentic operating systems.

翻译：模型上下文协议（MCP）已成为连接大型语言模型（LLMs）与外部数据及工具的事实标准，实质上发挥着“智能体人工智能的USB-C接口”的作用。虽然这种上下文与执行的解耦解决了关键的互操作性挑战，但它也引入了一个深刻的新威胁格局，其中认知错误（幻觉）与安全漏洞（未授权操作）之间的界限变得模糊。本知识系统化研究旨在为MCP生态系统中的风险提供一个全面的分类体系，区分对抗性安全威胁（例如间接提示注入、工具投毒）与认知性安全风险（例如分布式工具委托中的对齐失效）。我们分析了MCP基本组件（特别是资源、提示和工具）的结构性脆弱性，并展示了“上下文”如何在多智能体环境中被武器化以触发未授权操作。此外，我们综述了从密码学溯源（ETDI）到运行时意图验证等前沿防御技术，最后提出了保障从对话式聊天机器人向自主智能体操作系统过渡的安全路线图。