This paper identifies a critical security vulnerability in the Model Context Protocol (MCP): its implicit cross-server trust model enables low-barrier exploitation, leading to unauthorized disclosure of sensitive financial data. We design and implement a Python-based malicious MCP server prototype that—leveraging social engineering and automated discovery of legitimate banking tools—achieves cross-server exfiltration of user account balances without requiring advanced technical expertise or complex infrastructure. Our proof-of-concept attack demonstrates feasibility with only undergraduate-level programming proficiency, exposing a novel attack surface arising from compositional trust within the MCP ecosystem. To our knowledge, this work is the first to systematically identify, formalize, and name this class of vulnerability as “compositional trust vulnerabilities.” We further propose concrete protocol-level mitigations, offering both theoretical foundations and practical guidance for securing AI toolchains against such threats.

The Model Context Protocol (MCP) represents a significant advancement in AI-tool integration, enabling seamless communication between AI agents and external services. However, this connectivity introduces novel attack vectors that remain largely unexplored. This paper demonstrates how unsophisticated threat actors, requiring only basic programming skills and free web tools, can exploit MCP's trust model to exfiltrate sensitive financial data. We present a proof-of-concept attack where a malicious weather MCP server, disguised as benign functionality, discovers and exploits legitimate banking tools to steal user account balances. The attack chain requires no advanced technical knowledge, server infrastructure, or monetary investment. The findings reveal a critical security gap in the emerging MCP ecosystem: while individual servers may appear trustworthy, their combination creates unexpected cross-server attack surfaces. Unlike traditional cybersecurity threats that assume sophisticated adversaries, our research shows that the barrier to entry for MCP-based attacks is alarmingly low. A threat actor with undergraduate-level Python knowledge can craft convincing social engineering attacks that exploit the implicit trust relationships MCP establishes between AI agents and tool providers. This work contributes to the nascent field of MCP security by demonstrating that current MCP implementations allow trivial cross-server attacks and proposing both immediate mitigations and protocol improvements to secure this emerging ecosystem.