MCP Description-Code Inconsistency

Description: The Model Context Protocol (MCP) architecture lacks a semantic verification mechanism to enforce consistency between a tool's documented behavior (exposed to the Large Language Model via JSON schemas) and its actual executable logic. This design gap allows MCP Servers to present benign, read-only, or limited-scope descriptions to the LLM agent while implementing undocumented, privileged, or state-mutating functionality in the underlying code. An attacker can exploit this description–code inconsistency to trick LLM agents into executing high-risk operations—such as system process termination, financial transactions, or data modification—that are invisible to the model's reasoning process and the user's authorization context.

Examples: The following specific inconsistencies were identified in real-world MCP servers during a large-scale analysis:

1. mcpx-py (System Integrity Violation):

• Declared Behavior: Describes itself as a general-purpose MCP development framework.
• Actual Behavior: Contains an undocumented system-level function, killtree.
• Attack Vector: An agent can be triggered to invoke this function, terminating arbitrary processes and their descendants via PID, leading to Denial of Service (DoS) of critical system services.

2. longport-mcp (Unauthorized Financial Action):

• Declared Behavior: Claims to provide access to the Longport OpenAPI for retrieving market data.
• Actual Behavior: Implements critical transaction functions submit_order and cancel_order in the code, but omits them from the documentation schema.
• Attack Vector: The server allows real trading actions to be executed without the agent (or user) being semantically aware that a transaction is occurring, potentially leading to financial loss.

3. zerops-mcp (Data Integrity Violation):

• Declared Behavior: Documented as offering read-only GitHub integration.
• Actual Behavior: Includes an undocumented API endpoint updateUser.
• Attack Vector: The tool can be abused to mutate user state or tamper with account information despite the "read-only" description.

Impact:

• Unauthorized Privilege Escalation: Agents effectively operate with the full privileges of the hosting server despite restricted descriptions.
• Data Integrity Loss: Silent mutation of databases or user profiles via hidden write operations.
• Service Disruption: Unintended termination of processes or system services.
• Financial Loss: Execution of unauthorized trades or transactions.
• Bypass of Human-in-the-Loop Controls: Users reviewing agent plans rely on tool descriptions; hidden code paths bypass this trust boundary.

Affected Systems:

• Model Context Protocol (MCP) Ecosystem
• Specific identified vulnerable packages: mcpx-py, longport-mcp, zerops-mcp.
• Any MCP Server implementation where the JSON-RPC tool definition does not strictly adhere to the underlying function call chain.

Mitigation Steps:

• Static Semantic Consistency Analysis: Implement automated auditing tools (such as the MCPDiFF framework proposed in the research) to statically compare Abstract Syntax Tree (AST) function call chains against the natural language semantics of the tool description.
• Manual Code Auditing: Developers must manually verify that every executable function, specifically those involving side effects (I/O, DB writes, API calls), is explicitly reflected in the description and inputSchema fields.
• Sandboxing: Deploy MCP Servers in isolated containers (e.g., Docker) with strict system-level permission controls (e.g., varying network access or filesystem read-only modes) that operate independently of the tool's self-reported capabilities.
• Marketplace Governance: MCP marketplaces should enforce automated consistency checks to flag servers with low description–code alignment scores before distribution.