15 Research Lab -Adversarial Safety Evaluation of Frontier AI Systems

John Kearney

What Is the Model Context Protocol (MCP)?

October 5, 202515 Research Lab

mcp-safetytoolsagent-safety

The Model Context Protocol (MCP) is an open standard that defines how AI agents discover and interact with external tools. Developed by Anthropic and released as an open specification, MCP provides a uniform interface between language models and the tools they use.

The Problem MCP Solves

Before MCP, every AI application built its own tool integration. If you wanted your agent to read files, query databases, and call APIs, you wrote custom integration code for each capability. This created fragmented ecosystems where tools built for one agent framework could not work with another.

MCP standardizes this. A tool built as an MCP server works with any MCP-compatible agent, the same way a USB device works with any USB port.

How It Works

MCP uses a client-server architecture:

MCP Client: The AI agent (or its host application). The client discovers available tools, presents them to the model, and executes tool calls.

MCP Server: Provides one or more tools. Each tool has a name, description, and parameter schema. The server handles the actual execution (database queries, API calls, file operations) and returns results.

Transport: MCP supports two transports. stdio runs the server as a local subprocess, communicating through standard input/output. SSE (Server-Sent Events) runs the server as a remote HTTP service.

The flow: client connects to server, fetches tool definitions, includes them in the model's context, the model decides which tools to call, the client sends the call to the server, the server executes and returns results.

What MCP Exposes

Each MCP server advertises:

Tools: Functions the agent can call, with JSON Schema parameter definitions
Resources: Data sources the agent can read (files, database tables, API endpoints)
Prompts: Pre-built prompt templates for common tasks

Why Security Matters

MCP tool descriptions go directly into the model's context. This makes them a prompt injection vector. Tool responses also enter the context, creating a second injection surface. A compromised or malicious MCP server can manipulate agent behavior through either channel.

The protocol itself does not include authentication, authorization, or content validation. These must be implemented at the application layer. This is the focus of MCP safety research: building the security controls that the protocol leaves to implementers.

Production MCP deployments need gateway architectures, tool allowlists, content scanning, and audit logging. The protocol gives you interoperability. You still need to add security.