What is MCP?
The Model Context Protocol (MCP) is an open standard that lets AI agents communicate with external tools and data sources through a client-server architecture. An MCP client (the AI agent or its host) connects to one or more MCP servers, each of which exposes tools (callable functions), resources (readable data), and prompts (reusable templates). Because MCP servers execute real actions — running commands, querying databases, writing files — they are a direct attack surface for agent infrastructure.CTPF framing
Capability Trust Propagation Failure (CTPF) asks whether trust properties (provenance, integrity, authorization scope, intended audience) fail to propagate across capability boundaries in multi-step AI systems. In this harness, the proxy is the primary observation surface: capture MCP traffic, optionally mutate server→client tool results under control, and retain sessions as evidence. Experiments confirm or fail to observe promotion under pinned conditions. They do not claim to falsify CTPF as a class. Do not invent Pattern 2 how-to workflows here — experiment procedures live with the research program outside this docs tree.Libraries vs public CLI
| Surface | Role |
|---|---|
| Public CLI | qai proxy, targets, runs, findings, config, db |
| Libraries | audit, inject, ipi, cxp — fixtures and research code; not root pillars |
OWASP MCP Top 10
The OWASP MCP Top 10 is a vulnerability taxonomy for MCP-based systems. The audit library can map findings to these categories.| ID | Vulnerability |
|---|---|
| MCP01 | Token Mismanagement & Secret Exposure |
| MCP02 | Privilege Escalation via Scope Creep |
| MCP03 | Tool Poisoning |
| MCP04 | Software Supply Chain Attacks |
| MCP05 | Command Injection & Execution |
| MCP06 | Prompt Injection via Contextual Payloads |
| MCP07 | Insufficient Authentication & Authorization |
| MCP08 | Lack of Audit & Telemetry |
| MCP09 | Shadow MCP Servers |
| MCP10 | Context Injection & Over-Sharing |
Framework mapping
When using the audit library, findings can map to four frameworks:OWASP Agentic Top 10
The OWASP Agentic Top 10 addresses vulnerabilities in agentic AI systems.MITRE ATLAS
MITRE ATLAS catalogs tactics and techniques observed in real-world attacks on AI systems.CWE
Findings can map to relevant CWE (Common Weakness Enumeration) IDs for classification and tracking. See Framework Coverage for mapping tables.Transport types
MCP defines three transport mechanisms for client-server communication.| Transport | Description | Use case |
|---|---|---|
| stdio | Server spawned as a child process, communication over stdin/stdout | Local development, CI pipelines, testing servers you can run directly |
| SSE | Server-Sent Events over HTTP (legacy transport) | Remote servers using the older SSE-based MCP protocol |
| Streamable HTTP | Bidirectional HTTP transport (current standard) | Remote servers using the current MCP transport specification |
Threat model
CTPF Research Harness tests agent infrastructure — the servers, tools, and trust boundaries that AI agents interact with — not just model outputs. The assumption is that MCP servers and tool results are untrusted components: they may leak secrets, execute injected commands, poison tool descriptions, or over-share context across sessions. Proxy observation asks what happens when that untrusted content crosses into a higher-trust action path without preserved provenance or scope.Library methodologies (fixtures)
Proxy — Observe and mutate
Sit between a client you control and an MCP server. Capture traffic, optionally intercept with forward / modify / drop, export sessions. This is the CTPF center of the public CLI.Audit — Enumerate and scan (library)
Connect to a server, enumerate tools/resources/prompts, run scanners mapped to OWASP MCP categories, export structured reports (including SARIF). Invoked as library code — notqai audit.
Inject — Fixture servers (library)
Serve malicious MCP tools viabuild_server / python -m q_ai.inject. Campaign scoring paths are removed.
IPI — Generate and listen (library)
Generate adversarial documents and run a headless callback listener (python -m q_ai.ipi) for out-of-band proof of execution when authorized.
CXP — Context file fixtures (library)
Build poisoned instruction files for coding assistants and validate captured assistant output against detection rules. This targets coding assistants under test, not a removed product “Assist” module.Callback-based verification (IPI library)
IPI payloads can embed a unique callback URL containing a cryptographic token. When an agent executes the hidden instruction, it may fire an HTTP request to the listener. Confidence scoring distinguishes token-backed hits from noise. Local listeners bind to127.0.0.1 only. Optional tunnel mode for remote targets is documented under IPI callbacks.
Payload styles vs payload types (IPI)
Payload styles control how the injection blends into document content (obvious, citation, reviewer, etc.).
Payload types define the instructed action (callback, exfil variants, SSRF, instruction override, tool abuse, persistence). Dangerous types require an explicit --dangerous flag — see Dangerous Payloads.
Surface summary
| Area | Attack / observation surface | Role after Phase 1 |
|---|---|---|
| proxy | MCP client↔server traffic | Public CLI center |
| audit | MCP server capabilities | Library |
| inject | Malicious MCP fixtures | Library (build_server) |
| ipi | Document ingestion + callbacks | Library (python -m q_ai.ipi) |
| cxp | Coding-assistant instruction files | Library |