Paper Reference
Cross-Server Attacks — arxiv:2601.17549, §5 (Implementation Analysis)
"Compromised MCP servers pivot to attack other connected servers in the protocol network"
Current State
IntentGuard has tool snapshot detection (tool_change_rules) which partially helps by detecting when tool metadata changes. However, there is no isolation between MCP servers — a single policy applies globally, and there is no mechanism to prevent one server's tools from being used to attack resources managed by another server.
What Should Be Implemented
- Per-server policy scoping: allow different policies per MCP server identity
- Server namespace isolation: tools from server A cannot reference resources from server B
- Server allowlists: restrict which tools are expected from which server
- Policy config example:
server_policies:
filesystem-server:
allowed_tools: [read_file, write_file, list_directory]
protected_paths: ["/etc/*", ".env"]
database-server:
allowed_tools: [query, list_tables]
forbidden_tools: [drop_table]Why It Matters
In multi-server MCP setups, a compromised server could inject tool calls that target another server's resources, bypassing single-server policies.
Priority
Medium-High — becomes critical as multi-server MCP deployments grow.
Paper Reference
Cross-Server Attacks — arxiv:2601.17549, §5 (Implementation Analysis)
Current State
IntentGuard has tool snapshot detection (
tool_change_rules) which partially helps by detecting when tool metadata changes. However, there is no isolation between MCP servers — a single policy applies globally, and there is no mechanism to prevent one server's tools from being used to attack resources managed by another server.What Should Be Implemented
Why It Matters
In multi-server MCP setups, a compromised server could inject tool calls that target another server's resources, bypassing single-server policies.
Priority
Medium-High — becomes critical as multi-server MCP deployments grow.