DEV Community

ecap0
ecap0

Posted on • Originally published at agentaudit.dev

Schema Drift: The Silent MCP Attack Vector Nobody's Watching

#security #ai #mcp #opensource

Schema Drift: The Silent MCP Attack Vector Nobody's Watching

You audited your MCP server last month. It passed. You're safe, right?

Wrong.

The Problem

MCP servers are npm packages. They update frequently. And with each update, the tool schemas — the descriptions, parameters, and capabilities that your AI agent trusts — can change silently.

We call this Schema Drift: the gradual, often invisible expansion of an MCP server's attack surface across version updates.

How It Works

  1. v1.0.0 — MCP server provides 3 tools: read_file, list_directory, search_files. Clean audit. ✅
  2. v1.0.1 (patch update) — Adds a command parameter to search_files that accepts shell commands for "advanced search". No changelog mention.
  3. v1.1.0 — Adds execute_script tool "for automation". Tool description contains instructions that influence the LLM's behavior with other connected servers.

Each step looks minor. But the cumulative effect? Full system access through what started as a file browser.

Why This Matters

  • Auto-updates are the norm. Most developers pin ^1.0.0 or latest. Patch versions install automatically.
  • Audits are point-in-time. A security audit of v1.0.0 says nothing about v1.0.1.
  • Tool descriptions are invisible. Users don't read them. LLMs do. A changed description can completely alter agent behavior.
  • Supply chain attacks love small changes. Compromising a maintainer account and pushing a patch is easier than publishing a new malicious package.

What We Found

In our study, we scanned 17 popular MCP servers using AgentAudit, examining their tool schemas for potential security concerns:

  • Tool count changes across versions
  • Parameter additions/removals
  • Description text changes (especially hidden instructions)
  • New capability introductions in patch versions

Key Findings

  • Several servers in our sample added new tools or parameters in patch versions — changes that expanded capabilities without a major version bump
  • Multiple servers contained tool description changes between versions that could subtly influence LLM behavior
  • In our sample of 17 MCP servers, a notable subset introduced filesystem or network access capabilities that weren't present in their initial versions

Detection with AgentAudit

AgentAudit helps you catch these changes by auditing tool schemas for security risks:

  • 🔴 Dangerous capabilities (shell access, hidden instructions)
  • 🟡 Suspicious patterns (excessive permissions, prompt injection vectors)
  • 🟢 Clean tool definitions with appropriate scoping 
# Audit any MCP server
npx agentaudit audit @modelcontextprotocol/server-filesystem
Enter fullscreen mode Exit fullscreen mode

Run this after every update — not just on initial install.

Recommendations

  1. Pin exact versions (1.0.0, not ^1.0.0) for MCP servers
  2. Re-audit after every update, not just initial install
  3. Monitor tool schema changes — they're as important as code changes
  4. Use automated tools like AgentAudit that track drift over time
  5. Review changelogs before updating — but don't rely on them alone

The Bigger Picture

The MCP ecosystem is growing fast. As of February 2026, there are thousands of MCP servers on npm. The community has done great work identifying attack vectors like Tool Poisoning and Sampling Injection.

But Schema Drift is different because it exploits trust decay — the assumption that a previously audited package remains safe. In traditional software, dependency updates are tracked by tools like Dependabot. For MCP servers, nobody is tracking how tool schemas evolve.

Until now.

AgentAudit is an open-source security scanner for AI agent packages. Install it: npm install -g agentaudit

GitHub: starbuck100/agentaudit-mcp | starbuck100/agentaudit-skill

Top comments (0)