cs.CRcs.AIcs.SE
Description-Code Inconsistency in Real-world MCP Servers: Measurement, Detection, and Security Implications
Jun 3, 2026
This paper investigates Description-Code Inconsistency (DCI) in Model Context Protocol (MCP) servers, finding that 9.93% of real-world tools exhibit inconsistencies that create security blind spots.
The Model Context Protocol (MCP) has emerged as a critical standard empowering Large Language Models (LLMs) to utilize external tools. In this ecosystem, LLMs rely on natural language descriptions provided by MCP servers to select and execute functions. This interaction implicitly assumes that tool descriptions faithfully reflect their underlying implementations, while this assumption is not mandatorily verified in practice. As a result, MCP deployments may suffer from a problem named Description-Code Inconsistency (DCI), where a tool's description of its capabilities and security boundaries is not consistent with what the code actually does. In this paper, we present a comprehensive study of DCI in real-world MCP servers. We formally define the problem and propose a comprehensive taxonomy spanning functionality inconsistencies and undeclared side effects. Guided by this taxonomy, we develop DCIChecker, an automated framework that combines structure-aware static analysis with the Direct-Reverse-Arbitration prompting method to cross-validate tool descriptions against actual code implementations. We apply this framework to a large-scale dataset comprising 19,200 description-code pairs extracted from 2,214 real-world MCP servers. Our measurement reveals that DCI is widespread, with 9.93% of these pairs exhibiting inconsistencies. We further demonstrate that DCI creates a critical defense blind spot, facilitating varied risks from operational failures to stealthy malicious behaviors. Finally, we propose mitigation strategies to enforce semantic consistency and enhance the reliability of the emerging agentic ecosystem.
Auditing MCP Servers for Over-Privileged Tool Capabilities
The paper introduces mcp-sec-audit, a comprehensive toolkit that assesses Model…
From Component Manipulation to System Compromise: Understanding and Detecting Malicious MCP Servers
This paper introduces a component-centric framework and a novel detector, Connor…
MCP-38: A Comprehensive Threat Taxonomy for Model Context Protocol Systems (v1.0)
This paper introduces MCP-38, a novel, protocol-specific threat taxonomy of 38 c…
MCP-DPT: A Defense-Placement Taxonomy and Coverage Analysis for Model Context Protocol Security
The paper introduces a defense-placement taxonomy for the Model Context Protocol…
Model Context Protocol Threat Modeling and Analyzing Vulnerabilities to Prompt Injection with Tool P…
This paper analyzes the security vulnerabilities of the Model Context Protocol (…
A Formal Security Framework for MCP-Based AI Agents: Threat Taxonomy, Verification Models, and Defen…
The paper introduces MCPSHIELD, a comprehensive formal security framework that s…
Machine Learning-Based Detection of MCP Attacks
This paper develops and evaluates supervised machine learning models to detect m…
Invisible Threats from Model Context Protocol: Generating Stealthy Injection Payload via Tree-based…
The paper introduces Tree structured Injection for Payloads (TIP), a novel black…