MCP now has over 10,000 public servers. More than 50 companies are building A2A. AI agent protocols are growing fast.
But security research is not keeping up. For Agora and ANP, almost no security analysis existed before this paper.
In February 2026, researchers from the Canadian Institute for Cybersecurity and Mastercard published a paper that organizes 12 risks across 4 protocols (arXiv:2602.11327).
The Four Protocols
AI agent communication has different layers for different jobs.
- MCP, released by Anthropic in November 2024, connects AI to external tools and data using OAuth 2.1. It is already in production.
- A2A, announced by Google in April 2025, handles agent-to-agent communication with OAuth 2.0+JWT and is currently in draft stage.
- Agora, proposed by Marro et al. in October 2024, is a meta-protocol that dynamically generates and negotiates communication rules using hash-based authentication. It remains at the research stage.
- ANP, proposed by Chang et al. in July 2025, provides the network layer for large-scale agent networks using W3C DID for authentication. It is also at the research stage.
These protocols do not compete. They stack on top of each other.
12 Protocol-Level Risks
The paper sorts risks by lifecycle: creation, operation, and update.
The creation phase has four risks. MCP and Agora have weak identity checks. MCP and ANP do not protect registration data integrity. MCP has no namespace separation, so same-name tool spoofing works. Agora and ANP have no security policy defined at all.
The operation phase also has four risks. MCP does not verify what actually runs. MCP and A2A have no control over data exchange. MCP and A2A give permissions that are too broad. All four protocols lack rate limiting and backpressure.
The update phase has four more. MCP and A2A never cancel old credentials. Agora and ANP have no rollback protection. MCP does not sign or verify update packages. All protocols are vulnerable to dependency drift.
In short, the creation phase cannot verify who registered what. The operation phase cannot control what runs or how much access it has. The update phase leaves old credentials active and applies unsigned packages without checks.
MCP Experiment: Tool Spoofing
The researchers also ran an experiment on MCP. They set up a real server and a fake server, both using the same tool name (authorize_payment). Then they checked which one the AI called.
In first-match mode, the AI always called the wrong server (Violation Rate = 1.0). In best-match mode, it was wrong about half the time (Violation Rate = 0.52). Without cryptographic signatures, tool spoofing works reliably.
Reported Incidents
These incidents were reported on X and security news sites.
OpenClaw was shown to be vulnerable to indirect prompt injection, enabling backdoor installation and C2 deployment. A supply chain attack on Cline CLI v2.3.0 also led to approximately 4,000 unauthorized installations. An RCE vulnerability in MCP Inspector (CVE-2025-49596, CVSS 9.4) allowed remote code execution just by visiting a malicious web page (now patched). On ClawHub, Snyk's Agent Scan analysis (3,984 skills) found 76 confirmed malware packages. VirusTotal scanning was added to fix this. A Cursor MCP server leaked login credentials through indirect prompt injection.
Many of these reports come from X posts and have not been verified independently.
What to Do Now
Use cryptographic signatures to verify identity, not just names. Add supply chain checks like signature verification, code scanning, and version pinning. Watch MITRE ATLAS. They are adding attack techniques specific to AI agents. Set the default to least privilege and enforce token scope at the protocol level.
Over 10,000 MCP servers. Over 50 companies building A2A. Protocol adoption is outpacing security. The shift from "call tools by name" to "verify tools by signature" is the first step.
Top comments (2)
This is a really important point. Right now a lot of people are excited about AI agents and new protocols, but security feels like an afterthought. The tool spoofing example is especially concerning — if agents select tools by name without strong verification, that is a big risk. Hopefully protocols like MCP start enforcing signatures and stricter permissions before adoption grows even bigger.
The 100% success rate on tool spoofing is alarming but not surprising. MCP's current trust model essentially delegates security to the client — which means every AI agent implementation has to independently solve authentication, input validation, and capability verification.
What's missing is a protocol-level capability negotiation layer. Something like: server declares capabilities with cryptographic signatures, client verifies before execution, and there's an explicit human-in-the-loop checkpoint for sensitive operations. OAuth solved this for web APIs years ago.
The 12 security risks across 4 protocols also highlights a broader issue — we're building agent infrastructure at startup speed but with none of the security review processes that mature protocol development requires. The fact that tool poisoning and rug pulls are viable attacks means we need formal threat modeling before wider adoption, not after.
Great breakdown of the paper. Would love to see follow-up coverage on which frameworks are actually implementing mitigations.