Skip to main content

What is MCP?

The Model Context Protocol (MCP) is an open standard that lets AI agents communicate with external tools and data sources through a client-server architecture. An MCP client (the AI agent or its host) connects to one or more MCP servers, each of which exposes tools (callable functions), resources (readable data), and prompts (reusable templates). Because MCP servers execute real actions — running commands, querying databases, writing files — they are a direct attack surface for agent infrastructure.

CTPF framing

Capability Trust Propagation Failure (CTPF) asks whether trust properties (provenance, integrity, authorization scope, intended audience) fail to propagate across capability boundaries in multi-step AI systems. In this harness, the proxy is the primary observation surface: capture MCP traffic, optionally mutate server→client tool results under control, and retain sessions as evidence. Experiments confirm or fail to observe promotion under pinned conditions. They do not claim to falsify CTPF as a class. Do not invent Pattern 2 how-to workflows here — experiment procedures live with the research program outside this docs tree.

Libraries vs public CLI

SurfaceRole
Public CLIqai proxy, targets, runs, findings, config, db
Librariesaudit, inject, ipi, cxp — fixtures and research code; not root pillars
Removed Phase 1 surfaces (do not document as current product): Web UI, Assistant, Chain, RXP, External Tool Import, inject campaigns.

OWASP MCP Top 10

The OWASP MCP Top 10 is a vulnerability taxonomy for MCP-based systems. The audit library can map findings to these categories.
IDVulnerability
MCP01Token Mismanagement & Secret Exposure
MCP02Privilege Escalation via Scope Creep
MCP03Tool Poisoning
MCP04Software Supply Chain Attacks
MCP05Command Injection & Execution
MCP06Prompt Injection via Contextual Payloads
MCP07Insufficient Authentication & Authorization
MCP08Lack of Audit & Telemetry
MCP09Shadow MCP Servers
MCP10Context Injection & Over-Sharing

Framework mapping

When using the audit library, findings can map to four frameworks:

OWASP Agentic Top 10

The OWASP Agentic Top 10 addresses vulnerabilities in agentic AI systems.

MITRE ATLAS

MITRE ATLAS catalogs tactics and techniques observed in real-world attacks on AI systems.

CWE

Findings can map to relevant CWE (Common Weakness Enumeration) IDs for classification and tracking. See Framework Coverage for mapping tables.

Transport types

MCP defines three transport mechanisms for client-server communication.
TransportDescriptionUse case
stdioServer spawned as a child process, communication over stdin/stdoutLocal development, CI pipelines, testing servers you can run directly
SSEServer-Sent Events over HTTP (legacy transport)Remote servers using the older SSE-based MCP protocol
Streamable HTTPBidirectional HTTP transport (current standard)Remote servers using the current MCP transport specification
See Transport Types for configuration details.

Threat model

CTPF Research Harness tests agent infrastructure — the servers, tools, and trust boundaries that AI agents interact with — not just model outputs. The assumption is that MCP servers and tool results are untrusted components: they may leak secrets, execute injected commands, poison tool descriptions, or over-share context across sessions. Proxy observation asks what happens when that untrusted content crosses into a higher-trust action path without preserved provenance or scope.

Library methodologies (fixtures)

Proxy — Observe and mutate

Sit between a client you control and an MCP server. Capture traffic, optionally intercept with forward / modify / drop, export sessions. This is the CTPF center of the public CLI.

Audit — Enumerate and scan (library)

Connect to a server, enumerate tools/resources/prompts, run scanners mapped to OWASP MCP categories, export structured reports (including SARIF). Invoked as library code — not qai audit.

Inject — Fixture servers (library)

Serve malicious MCP tools via build_server / python -m q_ai.inject. Campaign scoring paths are removed.

IPI — Generate and listen (library)

Generate adversarial documents and run a headless callback listener (python -m q_ai.ipi) for out-of-band proof of execution when authorized.

CXP — Context file fixtures (library)

Build poisoned instruction files for coding assistants and validate captured assistant output against detection rules. This targets coding assistants under test, not a removed product “Assist” module.

Callback-based verification (IPI library)

IPI payloads can embed a unique callback URL containing a cryptographic token. When an agent executes the hidden instruction, it may fire an HTTP request to the listener. Confidence scoring distinguishes token-backed hits from noise. Local listeners bind to 127.0.0.1 only. Optional tunnel mode for remote targets is documented under IPI callbacks.

Payload styles vs payload types (IPI)

Payload styles control how the injection blends into document content (obvious, citation, reviewer, etc.). Payload types define the instructed action (callback, exfil variants, SSRF, instruction override, tool abuse, persistence). Dangerous types require an explicit --dangerous flag — see Dangerous Payloads.

Surface summary

AreaAttack / observation surfaceRole after Phase 1
proxyMCP client↔server trafficPublic CLI center
auditMCP server capabilitiesLibrary
injectMalicious MCP fixturesLibrary (build_server)
ipiDocument ingestion + callbacksLibrary (python -m q_ai.ipi)
cxpCoding-assistant instruction filesLibrary