This paper identifies a novel threat—Parasitic Toolchain Attacks—arising when large language models (LLMs) integrate with external systems via the Model Context Protocol (MCP). A canonical manifestation is MCP Unexpected Privacy Disclosure (MCP-UPD), wherein attackers inject malicious instructions through untrusted external data sources to exfiltrate private data—without user interaction. Method: We formally characterize this attack paradigm and attribute its root cause to MCP’s lack of context-tool isolation and minimal-privilege execution guarantees. To systematically assess real-world risk, we design MCP-SEC, a security evaluation framework, and conduct a large-scale empirical study across 12,230 tools and 1,360 servers. Contribution/Results: Our analysis uncovers multiple silent data leakage paths, demonstrating that exploitable vulnerabilities are pervasive across the MCP ecosystem. The findings underscore an urgent need for structured, protocol-level defenses—including strict sandboxing, runtime privilege control, and contextual integrity enforcement—to secure LLM-tool integrations.

Large language models (LLMs) are increasingly integrated with external systems through the Model Context Protocol (MCP), which standardizes tool invocation and has rapidly become a backbone for LLM-powered applications. While this paradigm enhances functionality, it also introduces a fundamental security shift: LLMs transition from passive information processors to autonomous orchestrators of task-oriented toolchains, expanding the attack surface, elevating adversarial goals from manipulating single outputs to hijacking entire execution flows. In this paper, we reveal a new class of attacks, Parasitic Toolchain Attacks, instantiated as MCP Unintended Privacy Disclosure (MCP-UPD). These attacks require no direct victim interaction; instead, adversaries embed malicious instructions into external data sources that LLMs access during legitimate tasks. The malicious logic infiltrates the toolchain and unfolds in three phases: Parasitic Ingestion, Privacy Collection, and Privacy Disclosure, culminating in stealthy exfiltration of private data. Our root cause analysis reveals that MCP lacks both context-tool isolation and least-privilege enforcement, enabling adversarial instructions to propagate unchecked into sensitive tool invocations. To assess the severity, we design MCP-SEC and conduct the first large-scale security census of the MCP ecosystem, analyzing 12,230 tools across 1,360 servers. Our findings show that the MCP ecosystem is rife with exploitable gadgets and diverse attack methods, underscoring systemic risks in MCP platforms and the urgent need for defense mechanisms in LLM-integrated environments.