Research Background

Breaking the Protocol (arxiv:2601.17549, Jan 2026) identifies three fundamental protocol-level vulnerabilities in MCP:

1. Absence of capability attestation — servers can claim arbitrary permissions
2. Bidirectional sampling without origin authentication — enables server-side prompt injection
3. Implicit trust propagation in multi-server configurations

847 attack scenarios across 5 MCP server implementations: MCP amplifies attack success 23–41% vs non-MCP integrations.

SMCP: Secure Model Context Protocol (arxiv:2602.01129, Feb 2026) proposes a backward-compatible extension adding capability attestation + message authentication, reducing attack success from 52.8% to 12.4% (8.3ms latency overhead per message).

Applicability to Zeph

Zeph's MCP client (zeph-mcp) connects to external MCP servers. Current mitigations:

• ContentSanitizer on tool outputs (injection pattern detection)
• [security.content_isolation] with spotlight_untrusted = true
• Fix fix(mcp): false positive injection detection in Todoist MCP tool descriptions #2170 (narrowed injection patterns in tool descriptions)

Gaps identified by research:

• No capability attestation: Zeph trusts the tool list reported by any MCP server
• No message origin authentication: server-injected content treated same as legitimate output
• Multi-server trust propagation: if two MCP servers connected, one compromised server's output could influence the other's tool calls

Proposed Investigation

1. Audit zeph-mcp/src/ for capability validation on server connection
2. Assess feasibility of per-server trust scoring (extend existing ContentSanitizer trust model)
3. Track SMCP spec evolution — if adopted upstream in rmcp, integrate

Priority

P3 — security research. MCP client is optional/feature-gated. Current ContentSanitizer provides partial mitigation. Full attestation requires protocol-level changes in rmcp.