Agent Tools & Interoperability with Model Context Protocol (MCP)
如果无法正常显示,请先停止浏览器的去广告插件。
1. Agent Tools &
Interoperability
with MCP
Authors: Mike Styer, Kanchana Patlolla,
Madhuranjan Mohan, and Sal Diaz
2. Agent Tools & Interoperability with MCP
Acknowledgements
Content contributors
Antony Arul
Ruben Gonzalez
Che Liu
Kimberly Milam
Anant Nawalgaria
Geir Sjurseth
Curators and editors
Anant Nawalgaria
Kanchana Patlolla
Designer
Michael Lanning
November 2025
2
3. Table of contents
Introduction: Models, Tools and Agents 7
Tools and tool calling 8
What do we mean by a tool?
Types of tools
8
10
Built-in tools 11
Agent Tools 13
Best Practices 15
Documentation is important 15
Describe actions, not implementations 17
Publish tasks, not API calls 18
Make tools as granular as possible 18
Design for concise output 19
Use validation effectively 19
Understanding the Model Context Protocol
The "N x M" Integration Problem and the need for Standardization
20
20
4. Table of contents
Core Architectural Components: Hosts, Clients, and Servers 21
The Communication Layer: JSON-RPC, Transports, and Message Types 22
Key Primitives: Tools and others 24
Tool Definition 26
Tool Results 28
Structured Content 29
Error Handling 29
Other Capabilities 31
Resources 31
Prompts 31
Sampling 32
Elicitation 33
Roots 33
Model Context Protocol: For and Against
Capabilities and Strategic Advantages
Accelerating Development and Fostering a Reusable Ecosystem
34
34
34
5. Table of contents
Architectural Flexibility and Future-Proofing 35
Foundations for Governance and Control 36
Critical Risks and Challenges
Enterprise Readiness Gaps
Security in MCP
36
38
39
New threat landscape 39
Risks and Mitigations 40
Tool Shadowing 42
Malicious Tool Definitions and Consumed Contents 44
Sensitive information Leaks 45
No support for limiting the scope of access 46
Conclusion
Appendix
Confused Deputy problem
48
49
49
The Scenario: A Corporate Code Repository 49
The Attack 50
6. Table of contents
The Result
Endnotes
51
52
7. Agent Tools & Interoperability with MCP
Unifying Agents, Tools, and
the World
Introduction: Models, Tools and Agents
Without access to external functions, even the most advanced foundation model 1 is just
a pattern prediction engine. An advanced model can do many things well -- passing law
exams 2 , writing code 3 or poetry 4 , creating images 5 and videos 6 , solving math problems 7
-- but on its own it can only generate content based on the data it was previously trained
on. It can't access any new data about the world except what is fed into it in its request
context; it can't interact with an external system; and it can't take any action to influence
its environment.
Most modern foundation models now have the capacity to call external functions, or tools,
to address this limitation. Like apps on a smartphone, tools enable an AI system to do more
than just generate patterns. These tools act as the agent's "eyes" and "hands," allowing it to
perceive and act on the world.
November 2025
7
8. Agent Tools & Interoperability with MCP
With the advent of Agentic AI, tools become even more important to AI systems. An AI Agent
uses a foundation model's reasoning capability to interact with users and achieve specific
goals for them, and external tools give the agent that capacity. With the capacity to take
external actions, agents can have a dramatic impact on enterprise applications. 8
Connecting external tools to foundation models carries significant challenges, though, both
basic technical issues as well as important security risks. The Model Context Protocol 9 was
introduced in 2024 as a way to streamline the process of integrating tools and models, and
address some of these technical and security challenges.
In this paper we talk first about the nature of tools used by foundation models: what they are
and how to use them. We give some best practices and guidelines for designing effective
tools and using them effectively. We then look at the Model Context Protocol, talking about
its basic components and some of the challenges and risks it entails. Finally, we take a
deeper look at the security challenges posed by MCP as it is introduced in an enterprise
environment and connected to high-value external systems.
Tools and tool calling
What do we mean by a tool?
In the world of modern AI, a tool is a function or a program an LLM-based application
can use to accomplish a task outside the model's capabilities. The model itself generates
content to respond to the user's question; tools let the application interact with other
systems. Broadly speaking, tools fit into 2 types: they allow a model to know something or
to do something. In other words, tools can retrieve data for the model to use in subsequent
November 2025
8
9. Agent Tools & Interoperability with MCP
requests, by accessing structured and unstructured data sources; or, tools can perform an
action on behalf of the user, often by calling an external API or by executing some other code
or function.
An example application of a tool for an agent might include calling an API to get the weather
forecast for the user's location, and presenting the information in the user's preferred units.
This is a simple question, but to answer this correctly the model would need information
about the user's current location and the current weather -- neither of those data points are
included in the model's training data. The model also needs to be able to convert between
temperature units; while foundation models are improving in their mathematical capabilities,
this is not their strong suit and math computations are another area where it is generally best
to call on an external function.
Figure 1: Weather agent tool-calling example
November 2025
9
10. Agent Tools & Interoperability with MCP
Types of tools
In an AI system, a tool is defined just like a function in a non-AI program. The tool definition
declares a contract between the model and the tool. At a minimum, this includes a clear
name, parameters, and a natural language description that explains its purpose and how it
should be used. Tools come in several different types; three main types described here are
Function Tools, Built-in Tools, and Agent Tools.
Function Tools
All models that support function calling 10 allow the developer to define external functions
that the model can call as needed. The tool's definition should provide basic details about
how the model should use the tool; this is provided to the model as part of the request
context. In a Python framework like Google ADK, the definition passed to the model is
extracted from the Python docstring in the tool code as in the example below.
This example shows a tool defined for Google ADK 11 that calls an external function to change
the brightness of a light. The set_light_values is passed a ToolContext object (part of
the Google ADK framework) to provide more details about the request context.
November 2025
10
11. Agent Tools & Interoperability with MCP
Python
def set_light_values(
brightness: int,
color_temp: str,
context: ToolContext) -> dict[str, int | str]:
"""This tool sets the brightness and color temperature of the room lights
in the user's current location.
Args:
brightness: Light level from 0 to 100. Zero is off and 100 is full
brightness
color_temp: Color temperature of the light fixture, which can be
`daylight`, `cool` or `warm`.
context: A ToolContext object used to retrieve the user's location.
Returns:
A dictionary containing the set brightness and color temperature.
"""
user_room_id = context.state['room_id']
# This is an imaginary room lighting control API
room = light_system.get_room(user_room_id)
response = room.set_lights(brightness, color_temp)
return {"tool_response": response}
Snippet 1: Definition for set_light_values tool
Built-in tools
Some foundation models offer the ability to leverage built in tools, where the tool definition
is given to the model implicitly, or behind the scenes of the model service. Google's Gemini
API, for instance, provides several built-in tools: Grounding with Google Search 12 , Code
Execution 13 , URL Context 14 , and Computer Use 15 .
November 2025
11
12. Agent Tools & Interoperability with MCP
Python
This example below shows how to invoke the Gemini built-in url_context tool. The tool
definition
itself is invisible to the developer; it's provided to the model separately.
from google import genai
from google.genai.types import (
Tool,
GenerateContentConfig,
HttpOptions,
UrlContext
)
client = genai.Client(http_options=HttpOptions(api_version="v1")
model_id = "gemini-2.5-flash"
url_context_tool = Tool(
url_context = UrlContext
)
url1 =
"https://www.foodnetwork.com/recipes/ina-garten/perfect-roast-chicken-recipe-19
40592"
url2 = "https://www.allrecipes.com/recipe/70679/simple-whole-roasted-chicken/"
response = client.models.generate_content(
model=model_id,
contents=("Compare the ingredients and cooking times from "
f"the recipes at {url1} and {url2}"),
config=GenerateContentConfig(
tools=[url_context_tool],
response_modalities=["TEXT"],
)
)
for each in response.candidates[0].content.parts:
print(each.text)
# For verification, you can inspect the metadata to see which URLs the
model retrieved
print(response.candidates[0].url_context_metadata)
Snippet 2: Calling url_context tool
November 2025
12
13. Agent Tools & Interoperability with MCP
Agent Tools
An agent can also be invoked as a tool. This prevents a full handoff of the user conversation,
allowing the primary agent to maintain control over the interaction and process the sub-
agent's input and output as needed. In ADK, this is accomplished by using the AgentTool 16
class in the SDK. Google's A2A protocol 17 , discussed in Day 5: Prototype to Production,
even allows you to make remote agents available as tools.
Python
from google.adk.agents import LlmAgent
from google.adk.tools import AgentTool
tool_agent = LlmAgent(
model="gemini-2.5-flash",
name="capital_agent",
description="Returns the capital city for any country or state"
instruction="""If the user gives you the name of a country or a state (e.g.
Tennessee or New South Wales), answer with the name of the capital city of that
country or state. Otherwise, tell the user you are not able to help them."""
)
user_agent = LlmAgent(
model="gemini-2.5-flash",
name="user_advice_agent",
description="Answers user questions and gives advice",
instruction="""Use the tools you have available to answer the
user's questions""",
tools=[AgentTool(agent=capital_agent)]
)
Snippet 3: AgentTool definition
November 2025
13
14. Agent Tools & Interoperability with MCP
Taxonomy of Agent Tools
One way of categorizing agent tools is by their primary function, or the various types of
interactions they facilitate. Here’s an overview of common types:
• Information Retrieval: Allow agents to fetch data from various sources, such as web
searches, databases, or unstructured documents.
• Action / Execution: Allow agents to perform real-world operations: sending emails,
posting messages, initiating code execution, or controlling physical devices.
• System / API Integration: Allow agents to connect with existing software systems and
APIs, integrate into enterprise workflows, or interact with third-party services.
• Human-in-the-Loop: Facilitate collaboration with human users: ask for clarification, seek
approval for critical actions, or hand off tasks for human judgment.
Tool Use Case Key Design Tips
Structured Data
Retrieval Querying databases, spreadsheets, or
other structured data sources (e.g., MCP
Toolbox, NL2SQL) Define clear schemas, optimize for efficient
querying, handle data types gracefully.
Unstructured Data
Retrieval Searching documents, web pages, or
knowledge bases (e.g., RAG sample) Implement robust search algorithms,
consider context window limitations, and
provide clear retrieval instructions.
Connecting to
Built-in Templates Generating content from
predefined templates Ensure template parameters are well-
defined, provide clear guidance on
template selection.
Google Connectors Interacting with Google Workspace apps
(e.g., Gmail, Drive, Calendar) Leverage Google APIs, ensure proper
authentication and authorization, handle
API rate limits.
Third-Party
Connectors Integrating with external services
and applications Document external API secifications,
manage API keys securely, implement error
handling for external calls.
Table 1: Tool categories & design considerations
November 2025
14
15. Agent Tools & Interoperability with MCP
Best Practices
As tool use becomes more widespread in AI applications and new categories of tools emerge,
recognized best practices for tool use are evolving rapidly. Nevertheless, several guidelines
are emerging that seem broadly applicable.
Documentation is important
The tool documentation (name, description and attributes) are all passed to the model as
a part of the request context, so all of these are important to help the model use the tool
correctly.
• Use a clear name: The name of the tool should be clearly descriptive, human readable,
and specific to help the model decide which tool to use. For instance, create_
critical_bug_in_jira_with_priority is clearer than update_jira. This is also
important for governance; if tool calls are logged, having clear names will make audit logs
more informative.
• Describe all input and output parameters: All inputs to the tool should be clearly
described, including both the required type and the use the tool will make of
the parameter.
• Simplify parameter lists: Long parameter lists can confuse the model; keep them
parameter lists short and give parameters clear names.
• Clarify tool descriptions: Provide a clear, detailed description of the input and output
parameters, the purpose of the tool, and any other details needed to call the tool
effectively. Avoid shorthand or technical jargon; focus on clear explanations using
simple terminology.
November 2025
15
16. Agent Tools & Interoperability with MCP
• Add targeted examples: Examples can help address ambiguities, show how to handle
tricky requests, or clarify distinctions in terminology. They can also be a way to refine and
target model behavior without resorting to more expensive approaches like fine tuning.
You can also dynamically retrieve examples related to the immediate task to minimize
context bloat.
• Provide default values: Provide default values for key parameters and be sure to
document and describe the default values in the tool documentation. LLMs can often use
default values correctly, if they are well-documented.
The following are examples of good and bad tool documentation.
Python
def get_product_information(product_id: str) -> dict:
"""
Retrieves comprehensive information about a product based on the unique
product ID.
Args:
product_id: The unique identifier for the product.
Returns:
A dictionary containing product details. Expected keys include:
'product_name': The name of the product.
'brand': The brand name of the product
'description': A paragraph of text describing the product.
'category': The category of the product.
'status': The current status of the product (e.g., 'active',
'inactive', 'suspended').
Example
{
}
"""
return value:
'product_name': 'Astro Zoom Kid's Trainers',
'brand': 'Cymbal Athletic Shoes',
'description': '...',
'category': 'Children's Shoes',
'status': 'active'
Snippet 4: Good tool documentation
November 2025
16
17. Agent Tools & Interoperability with MCP
Python
def fetchpd(pid):
"""
Retrieves product data
Args:
pid: id
Returns:
dict of data
"""
Snippet 5: Bad tool documentation
Describe actions, not implementations
Assuming each tool is well-documented, the model's instructions should describe actions,
not specific tools. This is important to eliminate any possibility of conflict between
instructions on how to use the tool (which can confuse the LLM). Where the available tools
can change dynamically, as with MCP, this is even more relevant.
• Describe what, not how: Explain what the model needs to do, not how to do it. For
example, say "create a bug to describe the issue", instead of "use the create_bug tool".
• Don't duplicate instructions: Don't repeat or re-state the tool instructions or
documentation. This can confuse the model, and creates an additional dependency
between the system instructions and the tool implementation.
• Don't dictate workflows: Describe the objective, and allow scope for the model to use
tools autonomously, rather than dictating a specific sequence of actions.
• DO explain tool interactions: If one tool has a side-effect that may affect a different tool,
document this. For instance, a fetch_web_page tool may store the retrieved web page in
a file; document this so the agent knows how to access the data.
November 2025
17
18. Agent Tools & Interoperability with MCP
Publish tasks, not API calls
Tools should encapsulate a task the agent needs to perform, not an external API. It's easy
to write tools that are just thin wrappers over the existing API surface, but this is a mistake.
Instead, tool developers should define tools that clearly capture specific actions the agent
might take on behalf of the user, and document the specific action and the parameters
needed. APIs are intended to be used by human developers with full knowledge of the
available data and the API parameters; complex Enterprise APIs can have tens or even
hundreds of possible parameters that influence the API output. Tools for agents, by contrast,
are expected to be used dynamically, by an agent that needs to decide at runtime which
parameters to use and what data to pass. If the tool represents a specific task the agent
should accomplish, the agent is much more likely to be able to call it correctly.
Make tools as granular as possible
Keeping functions concise and limited to a single function is standard coding best practice;
follow this guidance when defining tools too. This makes it easier to document the tool and
allows the agent to be more consistent in determining when the tool is needed.
• Define clear responsibilities: Make sure each tool has a clear, well-documented
purpose. What does it do? When should it be called? Does it have any side effects? What
data will it return?
• Don't create multi-tools: In general, don't create tools that take many steps in turn or
encapsulate a long workflow. These can be complicated to document and maintain, and
can be difficult for LLMs to use consistently. There are scenarios when such a tool may
be useful -- for instance, if a commonly performed workflow requires many tool calls in
sequence, defining a single tool to encapsulate many operations may be more efficient. In
these cases be sure to document very clearly what the tool is doing so the LLM can use
the tool effectively.
November 2025
18
19. Agent Tools & Interoperability with MCP
Design for concise output
Poorly designed tools can sometimes return large volumes of data, which can adversely
affect performance and cost.
• Don't return large responses: Large data tables or dictionaries, downloaded files,
generated images, etc. can all quickly swamp the output context of an LLM. These
responses are also frequently stored in an agent's conversation history, so large
responses can impact subsequent requests as well.
• Use external systems: Make use of external systems for data storage and access. For
instance, instead of returning a large query result directly to the LLM, insert it into a
temporary database table and return the table name, so a subsequent tool can retrieve
the data directly. Some AI frameworks also provide persistent external storage as part of
the framework itself, such as the Artifact Service in Google ADK 18 .
Use validation effectively
Most tool calling frameworks include optional schema validation for tool inputs and outputs.
Use this validation capability wherever possible. Input and output schemas serve two roles
with LLM tool calling. They serve as further documentation of the tool's capabilities and
function, giving the LLM a clearer picture of when and how to use the tool; and they provide a
run-time check on tool operation, allowing the application itself to validate whether the tool is
being called correctly.
Provide descriptive error messages
Tool error messages are an overlooked opportunity for refining and documenting tool
capabilities. Often, even well-documented tools will simply return an error code, or at best
a short, non-descriptive error message. In most tool calling systems, the tool response will
November 2025
19
20. Agent Tools & Interoperability with MCP
also be provided to the calling LLM, so it provides another avenue for giving instructions.
The tool's error message should also give some instruction to the LLM about what to do to
address the specific error. For example, a tool that retrieves product data could return a
response that says "No product data found for product ID XXX. Ask the customer to confirm
the product name, and look up the product ID by name to confirm you have the correct ID."
Understanding the Model
Context Protocol
The "N x M" Integration Problem and the need
for Standardization
Tools provide the essential link between an AI agent or an LLM and the external world. The
ecosystem of externally accessible tools, data sources and other integrations, however,
is increasingly fragmented and complex. Integrating an LLM with an external tool usually
requires a custom-built, one-off connector for every pairing of tool and application. This
leads to an explosion in development effort, often called the "N x M" integration problem,
where the number of necessary custom connections grows exponentially with each new
model (N) or tool (M) added to the ecosystem. 19
Anthropic introduced the Model Context Protocol (MCP) in November 2024 as an open
standard to begin addressing this situation. The goal of MCP from the outset has been to
replace the fragmented landscape of custom integrations with a unified, plug-and-play
protocol that could serve as a universal interface between AI applications and the vast world
November 2025
20
21. Agent Tools & Interoperability with MCP
of external tools and data. By standardizing this communication layer, MCP aims to decouple
the AI agent from the specific implementation details of the tools it uses, allowing for a more
modular, scalable, and efficient ecosystem.
Core Architectural Components: Hosts, Clients, and Servers
The Model Context Protocol implements a client-server model, inspired by the Language
Server Protocol (LSP) in the software development world. 9 This architecture separates the AI
application from the tool integrations and allows a more modular and extensible approach to
tool development. The core MCP components are the Host, the Client, and the Server.
• MCP Host: The application responsible for creating and managing individual MCP clients;
may be a standalone application, or a sub-component of a larger system such as a multi-
agent system. Responsibilities include managing the user experience, orchestrating the
use of tools, and enforcing security policies and content guardrails.
• MCP Client: A software component embedded within the Host that maintains the
connection with the Server. The responsibilities of the client are issuing commands,
receiving responses, and managing the lifecycle of the communication session with its
MCP Server.
• MCP Server: A program that provides a set of capabilities the server developer wants
to make available to AI applications, often functioning as an adapter or a proxy for an
external tool, data source, or API. Primary responsibilities are advertising available tools
(tool discovery), receiving and executing commands, and formatting and returning
results. In enterprise contexts, servers are also responsible for security, scalability
and governance.
The following diagram shows the relationships between each of these components and how
they communicate.
November 2025
21
22. Agent Tools & Interoperability with MCP
Figure 2: MCP Host, Client and Server in an Agentic Application
This architectural model is aimed at supporting the development of a competitive and
innovative AI tooling ecosystem. AI agent developers should be able to focus on their core
competency—reasoning and user experience—while third-party developers can create
specialized MCP servers for any conceivable tool or API.
The Communication Layer: JSON-RPC, Transports, and
Message Types
All communication between MCP clients and servers is built on a standardized technical
foundation for consistency and interoperability.
November 2025
22
23. Agent Tools & Interoperability with MCP
Base Protocol: MCP uses JSON-RPC 2.0 as its base message format. This gives it a
lightweight, text-based, and language-agnostic structure for all communications.
Message Types: The protocol defines four fundamental message types that govern the
interaction flow:
• Requests: An RPC call sent from one party to another that expects a response.
• Results: A message containing the successful outcome of a corresponding request.
• Errors: A message indicating that a request failed, including code and description.
• Notifications: A one-way message that does not require a response and cannot be
replied to.
Transport Mechanisms: MCP also needs a standard protocol for communication between
the client and server, called a "transport protocol", to ensure each component is able to
interpret the other's messages. MCP supports two transport protocols - one for local
communication and one for remote connections. 20
• stdio (Standard Input/Output): Used for fast and direct communication in local
environments where the MCP server runs as a subprocess of the Host application; used
when tools need to access local resources such as the user's filesystem.
• Streamable HTTP: Recommended remote client-server protocol. 21 It supports SSE
streaming responses, but also allows stateless servers and can be implemented in a plain
HTTP server without requiring SSE.
November 2025
23
24. Agent Tools & Interoperability with MCP
Figure 3: MCP Transport Protocols
Key Primitives: Tools and others
On top of the basic communication framework, MCP defines several key concepts or entity
types to enhance the capabilities of LLM-based applications for interacting with external
systems. The first three are capabilities offered by the Server to the Client; the remaining
three are offered by the Client to the server. On the server side, these capabilities are: Tools,
Resources and Prompts; and on the client side, the capabilities are Sampling, Elicitation
and Roots.
November 2025
24
25. Agent Tools & Interoperability with MCP
Of these capabilities defined by the MCP specification, only Tools are broadly supported. As
the table below shows, while Tools are supported by nearly all tracked client applications,
Resources and Prompts are only supported by approximately a third, and support for client-
side capabilities is significantly lower than that. So it remains to be seen whether these
capabilities will play a significant role in future MCP deployments.
Capability
Client Support Status
% Supported
Supported Not supported Unknown/Other Tools 78 1 0 99%
Resources 27 51 1 34%
Prompts 25 54 0 32%
Sampling 8 70 1 10%
Elicitation 3 74 2 4%
Roots 4 75 0 5%
Table 2: Percentage of publicly available MCP clients supporting MCP server / client capabiliites.
Source: https://modelcontextprotocol.io/clients, retrieved 15 September 2025
In this section we will concentrate on Tools, since they have by far the broadest adoption and
are the core driver of MCP value, and only briefly describe the remaining capabilities.
Tools
The Tool 22 entity in MCP is a standardized way for a server to describe a function it makes
available to clients. Some examples might be read_file, get_weather, execute_sql, or
create_ticket. MCP Servers publish a list of their available tools, including descriptions
and parameter schemas, for agents to discover.
November 2025
25
26. Agent Tools & Interoperability with MCP
Tool Definition
Tool definitions must conform to a JSON schema 23 with the following fields:
• name: Unique identifier for the tool
• title: [OPTIONAL] human-readable name for display purposes
• description: Human- (and LLM-) readable description of functionality
• inputSchema: JSON schema defining expected tool parameters
• outputSchema: [OPTIONAL]: JSON schema defining output structure
• annotations: [OPTIONAL]: Properties describing tool behavior
Tools documentation in MCP should follow the same general best practices we described
above. For instance, properties such as title and description may be optional in the
schema, but they should always be included. They provide an important channel for giving
more detailed instructions to client LLMs about how to use the tool effectively.
The inputSchema and outputSchema fields are also critical for ensuring correct usage of
the tool. They should be clearly descriptive and carefully worded, and each property defined
in both schemas should have a descriptive name and a clear description. Both schema fields
should be treated as required.
The annotations field is declared as optional and should remain that way. The properties
defined in the spec are:
• destructiveHint: May perform destructive updates (default: true).
• idempotentHint: Calling repeatedly with the same arguments will have no additional
effect (default: false).
November 2025
26
27. Agent Tools & Interoperability with MCP
• openWorldHint: May interact with an "open world" of external entities (default: true).
• readOnlyHint: Does not modify its environment (default: false)
• title: Human-readable title for the tool (note that this is not required to agree with the
title as provided in the tool definition).
All the properties declared in this field are only hints, and are not guaranteed to describe
the tool's operations accurately. MCP clients should not rely on these properties from
untrusted servers, and even when the server is trusted, the spec does not require that
the tool properties are guaranteed to be true. Exercise caution when making use of
these annotations.
The following example shows an MCP Tool definition with each of these fields included.
JSON
{
"name": "get_stock_price",
"title": "Stock Price Retrieval Tool",
"description": "Get stock price for a specific ticker symbol. If 'date' is
provided, it will retrieve the last price or closing price for that date.
Otherwise it will retrieve the latest price.",
"inputSchema": {
"type": "object",
"properties": {
"symbol": {
"type": "string",
"description": "Stock ticker symbol",
}
"date": {
"type:" "string",
"description": "Date to retrieve (in YYYY-MM-DD format)"
}
},
"required": ["symbol"]
Continues next page...
November 2025
27
28. Agent Tools & Interoperability with MCP
},
"outputSchema": {
"type": "object",
"properties": {
"price": {
"type": "number",
"description": "Stock price"
},
"date": {
"type": "string",
"description": "Stock price date"
}
},
"required": ["price", "date"]
},
"annotations": {
"readOnlyHint": "true"
}
}
Snippet 6: Example tool definition for a stock price retrieval tool
Tool Results
MCP tools can return their results in a number of ways. Results can be structured or
unstructured, and can contain multiple different content types. Results can link to other
resources on the server, and results can also be returned as a single response or a stream
of responses.
Unstructured Content
Unstructured content can take several types. The Text type represents unstructured string
data; the Audio and Image content types contain base64-encoded image or audio data
tagged with the appropriate MIME type.
November 2025
28
29. Agent Tools & Interoperability with MCP
MCP also allows Tools to return specified Resources, which gives developers more options
for managing their application workflow. Resources can be returned either as a link to a
Resource entity stored at another URI, including the title, description, size, and MIME type;
or fully embedded in the Tool result. In either case, client developers should be very cautious
about retrieving or using resources returned from an MCP server in this way, and should only
use Resources from trusted sources.
Structured Content
Structured content is always returned as a JSON object. Tool implementers should always
use the outputSchema capability to provide a JSON schema clients can use to validate
the tool results, and client developers should validate the tool results against the provided
schema. Just as with standard function calling, a defined output schema serves a dual
purpose: it allows the client to interpret and parse the output effectively, and it communicates
to the calling LLM how and why to use this particular tool.
Error Handling
MCP also defines two standard error reporting mechanisms. A Server can return standard
JSON-RPC errors for protocol issues such as unknown tools, invalid arguments, or server
errors. It can also return error messages in the tool results by setting the "isError": true
parameter in the result object. These errors are used for errors generated in the operation
of the tool itself, such as backend API failures, invalid data, or business logic errors. Error
messages are an important and often overlooked channel for providing further context to
the calling LLM. MCP tool developers should consider how best to use this channel for aiding
their clients in failing over from errors. The following examples show how a developer might
use each of these error types to provide additional guidance to the client LLM.
November 2025
29
30. Agent Tools & Interoperability with MCP
Python
{
"jsonrpc": "2.0",
"id": 3,
"error": {
"code": -32602,
"message": "Unknown tool: invalid_tool_name. It may be misspelled, or the tool
may not exist on this server. Check the tool name and if necessary request an
updated list of tools."
}
}
Snippet 7: Example protocol error. Source: https://modelcontextprotocol.io/specification/2025-06-18/server/
tools#error-handling, retrieved 2025-09-16.
Python
{
"jsonrpc": "2.0",
"id": 4,
"result": {
"content": [
{
"type": "text",
"text": "Failed to fetch weather data: API rate limit exceeded. Wait 15
seconds before calling this tool again."
}
],
"isError": true
}
}
Snippet 8: Example tool execution error. Source: https://modelcontextprotocol.io/specification/2025-06-18/
server/tools#error-handling, retrieved 2025-09-16
November 2025
30
31. Agent Tools & Interoperability with MCP
Other Capabilities
In addition to Tools, the MCP specification defines five other capabilities that servers and
clients can provide. As we noted above, though, only a small number of MCP implementations
support these capabilities, so it remains to be seen whether they will play an important role in
MCP-based deployments.
Resources
Resources 24 are a server-side capability intended to provide contextual data that can be
accessed and used by the Host application. Resources provided by an MCP server might
include the content of a file, a record from a database, a database schema, an image or
another piece of static data information the server developers intend to be used by a client.
Commonly cited examples of possible Resources include log files, configuration data, market
statistics, or structured blobs such as PDFs or images. Introducing arbitrary external content
into the LLM's context carries significant security risks (see below), however, so any resource
consumed by an LLM client should be validated and retrieved from a trusted URL.
Prompts
Prompts 25 in MCP are another server-side capability, allowing the server to provide reusable
prompt examples or templates related to its Tools and Resources. Prompts are intended to
be retrieved and used by the client to interact directly with an LLM. By providing a Prompt, an
MCP server can give its clients a higher-level description of how to use the tools it provides.
November 2025
31
32. Agent Tools & Interoperability with MCP
While they do have the potential to add value to an AI system, in a distributed enterprise
environment the use of Prompts introduces some evident security concerns. Allowing a third-
party service to inject arbitrary instructions into the execution path of the application is risky,
even when filtered by classifiers, auto-raters, or other LLM-based detection methods, At the
moment, our recommendation is that Prompts should be used rarely, if at all, until a stronger
security model is developed.
Sampling
Sampling 26 is a client-side capability that allows an MCP server to request an LLM completion
from the client. If one of the server's capabilities needs input from an LLM, instead of
implementing the LLM call and using the results internally, the server would issue a Sampling
request back to the client for the client to execute. This reverses the typical flow of control,
allowing a tool to leverage the Host's core AI model to perform a sub-task, such as asking
the LLM to summarize a large document the server just fetched. The MCP specification
recommends that clients insert a human in the loop stage in Sampling, so that there is always
the option for a user to deny a server's Sampling request.
Sampling presents both opportunities and challenges for developers. By offloading LLM
calls to the client, Sampling gives client developers control over the LLM providers used in
their applications, and allows costs to be borne by the application developer instead of the
service provider. Sampling also gives the client developer control of any content guardrails
and security filters required around the LLM call, and provides a clean way to insert a
human approval step for LLM requests that occur in the application's execution path. On the
other hand, like the Prompt capability, Sampling also opens an avenue for potential prompt
injection in the client application. Clients should take care to filter and validate any prompt
accompanying a sampling request, and should ensure that the human-in-the-loop control
phase is implemented with effective controls for users to interact with the sampling request.
November 2025
32
33. Agent Tools & Interoperability with MCP
Elicitation
Elicitation 27 is another client-side capability, similar to Sampling, that allows an MCP server
to request additional user information from the client. Instead of requesting an LLM call, an
MCP tool using Elicitation can query the host application dynamically for additional data to
complete the tool request. Elicitation provides a formal mechanism for a server to pause
an operation and interact with the human user via the client's UI, allowing the client to
maintain control of the user interaction and data sharing, while giving the server a way to get
user input.
Security and privacy issues are important concerns around this capability. The MCP spec
notes that "Servers MUST NOT use elicitation to request sensitive information", and that
users should be clearly informed about the use of the information and able to approve,
decline or cancel the request. These guidelines are critical to implementing Elicitation in a
way that respects and preserves user privacy and security. The injunction against requesting
sensitive information is impossible to enforce in a systematic manner, so client developers
need to be vigilant about potential misuse of this capability. If a client does not provide
strong guardrails around elicitation requests and a clear interface for approving or denying
requests, a malicious server developer could easily extract sensitive information from
the user.
Roots
Roots, the third client-side capability, "define the boundaries of where servers can operate
within the filesystem" 28 . A Root definition includes a URI that identifies the root; at the time of
writing, the MCP specification restricts Root URIs to file: URIs only, but this may change in
future revisions. A server receiving a Root specification from a client is expected to confine
its operations just to that scope. In practice, it is not yet clear whether or how Roots would be
November 2025
33
34. Agent Tools & Interoperability with MCP
used in a production MCP system. For one thing, there are no guardrails in the specification
around the behavior of servers with respect to Roots, whether the root is a local file or
another URI type. The clearest statement about this in the spec is that "servers SHOULD ..
respect root boundaries during operations." 29 Any client developer would be wise not to rely
too heavily on server behavior regarding Roots.
Model Context Protocol: For and Against
MCP adds several significant new capabilities to the AI developer's toolbox. It also has some
important limitations and drawbacks, particularly as its usage expands from the locally
deployed, developer augmentation scenario to remotely deployed, enterprise integration
applications. In this section we will look first at MCP's advantages and new capabilities; then
we consider the pitfalls, shortcomings, challenges and risks MCP introduces.
Capabilities and Strategic Advantages
Accelerating Development and Fostering a Reusable Ecosystem
The most immediate benefit of MCP is in simplifying the integration process. MCP provides a
common protocol for tool integration with LLM-based applications. This should help reduce
the development cost, and therefore time to market, for new AI-driven features and solutions.
MCP may also help foster a "plug-and-play" ecosystem where tools become reusable and
shareable assets. Several public MCP server registries and marketplace have emerged
already, which allow developers to discover, share, and contribute pre-built connectors. To
avoid potential fragmentation of the MCP ecosystem, the MCP project recently launched the
November 2025
34
35. Agent Tools & Interoperability with MCP
MCP Registry 30 , which provides both a central source of truth for public MCP servers, and
also an OpenAPI specification to standardize MCP server declarations. If the MCP registry
catches on, this may create network effects which could accelerate the growth of the AI
tool ecosystem.
Dynamically Enhancing Agent Capabilities and Autonomy
MCP enhances agent function calling in several important ways.
• Dynamic Tool Discovery: MCP-enabled applications can discover available tools at
runtime instead of having those tools hard-coded, allowing for greater adaptability
and autonomy.
• Standardizing and Structuring Tool Descriptions: MCP also expands on basic
LLM function calling by providing a standard framework for tool descriptions and
interface definitions.
• Expanding LLM Capabilities: Finally, by enabling the growth of an ecosystem of tool
providers, MCP dramatically expands the capabilities and information available to LLMs.
Architectural Flexibility and Future-Proofing
By standardizing the agent-tool interface, MCP decouples the agent's architecture from
the implementation of its capabilities. This promotes a modular and composable system
design, aligning with modern architectural paradigms like the "agentic AI mesh". In such
an architecture, logic, memory, and tools are treated as independent, interchangeable
components, making such systems easier to debug, upgrade, scale, and maintain over the
long term. Such a modular architecture also allows an organization to switch underlying LLM
providers or replace a backend service without needing to re-architect the entire integration
layer, provided the new components are exposed via a compliant MCP server.
November 2025
35
36. Agent Tools & Interoperability with MCP
Foundations for Governance and Control
While MCP's native security features are currently limited (as detailed in the next section),
its architecture does at least provide the necessary hooks for implementing more robust
governance. For instance, security policies and access controls can be embedded within
the MCP server, creating a single point of enforcement that ensures any connecting agent
adheres to predefined rules. This allows an organization to control what data and actions are
exposed to its AI agents.
Furthermore, the protocol specification itself establishes a philosophical foundation for
responsible AI by explicitly recommending user consent and control. The specification
mandates that hosts should obtain explicit user approval before invoking any tool or sharing
private data. This design principle promotes the implementation of "human-in-the-loop"
workflows, where the agent can propose an action but must await human authorization
before execution, providing a critical safety layer for autonomous systems.
Critical Risks and Challenges
A key focus for enterprise developers adopting MCP is the need to layer in support for
enterprise-level security requirements (authentication, authorization, user isolation,
etc.). Security is such a critical topic for MCP that we dedicate a separate section of this
whitepaper to it (see Section 5). In the remainder of this section, we will look at other
considerations for deploying MCP in enterprise applications.
November 2025
36
37. Agent Tools & Interoperability with MCP
Performance and Scalability Bottlenecks
Beyond security, MCP's current design presents fundamental challenges to performance and
scalability, primarily related to how it manages context and state.
• Context Window Bloat: For an LLM to know which tools are available, the definitions and
parameter schemas for every tool from every connected MCP server must be included
in the model's context window. This metadata can consume a significant portion of the
available token, resulting in increased cost and latency, and causing the loss of other
critical context information.
• Degraded Reasoning Quality: An overloaded context window can also degrade the
quality of the AI's reasoning. With many tool definitions in a prompt, the model may
have difficulty identifying the most relevant tool for a given task or may lose track of
the user's original intent. This can lead to erratic behavior, such as ignoring a useful tool
or invoking an irrelevant one, or ignoring other important information contained in the
request context.
• Stateful Protocol Challenges: Using stateful, persistent connections for remote
servers can lead to more complex architectures that are harder to develop and maintain.
Integrating these stateful connections with predominantly stateless REST APIs often
requires developers to build and manage complex state-management layers, which can
hinder horizontal scaling and load balancing.
The issue of context window bloat represents an emerging architectural challenge -- the
current paradigm of pre-loading all tool definitions into the prompt is simple but does not
scale. This reality may force a shift in how agents discover and utilize tools. One potential
future architecture might involve a RAG-like approach for tool discovery itself. 31 An agent,
when faced with a task, would first perform a "tool retrieval" step against a massive, indexed
library of all possible tools to find the few most relevant ones. Based on that response, it
would load the definitions for that small subset of tools into its context window for execution.
November 2025
37
38. Agent Tools & Interoperability with MCP
This would transform tool discovery from a static, brute-force loading process into a
dynamic, intelligent, and scalable search problem, creating a new and necessary layer in the
agentic AI stack. Dynamic tool retrieval does, however, open another potential attack vector;
if an attacker gains access to the retrieval index, he or she could inject a malicious tool
schema into the index and trick the LLM into calling an unauthorized tool.
Enterprise Readiness Gaps
While MCP is rapidly being adopted, several critical enterprise-grade features are still
evolving or not yet included in the core protocol, creating gaps that organizations must
address themselves.
• Authentication and Authorization: The initial MCP specification did not originally
include a robust, enterprise-ready standard for authentication and authorization. While
the specification is actively evolving, the current OAuth implementation has been noted to
conflict with some modern enterprise security practices 32 .
• Identity Management Ambiguity: The protocol does not yet have a clear, standardized
way to manage and propagate identity. When a request is made, it can be ambiguous
whether the action is being initiated by the end-user, the AI agent itself, or a generic
system account. This ambiguity complicates auditing, accountability, and the enforcement
of fine-grained access controls.
• Lack of Native Observability: The base protocol does not define standards for
observability primitives like logging, tracing, and metrics, essential capabilities for
debugging, health monitoring and threat detection. To address this, enterprise software
providers are building features on top of MCP with offerings like the Apigee API
management platform, which adds a layer of observability and governance to MCP traffic.
November 2025
38
39. Agent Tools & Interoperability with MCP
MCP was designed for open, decentralized innovation, which spurred its rapid growth, and
in the local deployment scenario, this approach is successful. However, the most significant
risks it presents—supply chain vulnerabilities, inconsistent security, data leakage, and a
lack of observability—are all consequences of this decentralized model. As a result, major
enterprise players are not adopting the "pure" protocol but are instead wrapping it in layers
of centralized governance. These managed platforms impose the security, identity, and
control that extend the base protocol.
Security in MCP
New threat landscape
Along with the new capabilities MCP offers by connecting agents to tools and resources
comes a new set of security challenges that go beyond traditional application
vulnerabilities. 33 The risks introduced by MCP result from two parallel considerations: MCP as
a new API surface, and MCP as a standard protocol.
As a new API surface, the base MCP protocol does not inherently include many of the
security features and controls implemented in traditional API endpoints and other systems.
Exposing existing APIs or backend systems via MCP may lead to new vulnerabilities if the
MCP service does not implement robust capabilities for authentication / authorization, rate
limiting and observability.
November 2025
39
40. Agent Tools & Interoperability with MCP
As a standard agent protocol, MCP is being used for a broad range of applications,
including many involving sensitive personal or enterprise information as well as applications
in which the agent interfaces with a backend system to take some real-world action. This
broad applicability increases the likelihood and potential severity of security issues, most
prominently unauthorized actions and data exfiltration.
As a result, securing MCP requires a proactive, evolving, and multi-layered approach that
addresses both new and traditional attack vectors.
Risks and Mitigations
Among the broader landscape of MCP security threats, several key risks stand out as
particularly prominent and worth identifying.
Top Risks & Mitigations
Dynamic Capability Injection
Risk
MCP servers may dynamically change the set of tools, resources, or prompts they offer
without explicit client notification or approval. This can potentially allow agents to
unexpectedly inherit dangerous capabilities or unapproved / unauthorized tools.
While traditional APIs are also subject to on-the-fly updates that can alter functionality, MCP
capabilities are much more dynamic. MCP Tools are designed to be loaded at runtime by any
new agent connecting to the server, and the list of tools itself is intended to be dynamically
November 2025
40
41. Agent Tools & Interoperability with MCP
retrieved via a tools/list request. MCP Servers are also not required to notify clients when
their list of published tools changes. Combined with other risks or vulnerabilities, this could
be exploited by a malicious server to cause unauthorized behavior in the client.
More specifically, dynamic capability injection can extend an agent's capabilities beyond
its intended domain and corresponding risk profile. For example, a poetry-authoring agent
may connect to a Books MCP server, a content retrieval and search service, to fetch quotes,
a low-risk, content generation activity. However, suppose the Books MCP service suddenly
adds a book purchasing capability, in a well-intentioned attempt to provide more value to its
users. Then this formerly low-risk agent could suddenly gain the ability to purchase books
and initiate financial transactions, a much higher risk activity.
Mitigations
• Explicit allowlist of MCP tools: Implement client-side controls within the SDK or the
containing application to enforce an explicit allowlist of permitted MCP tools and servers.
• Mandatory Change Notification: Require that all changes to MCP server manifests
MUST set the listChanged flag and allow clients to revalidate server definitions.
• Tool and Package Pinning: For installed servers, pin the tool definitions to a specific
version or hash. If a server dynamically changes a tool's description or API signature after
the initial vetting, the Client must alert the user or disconnect immediately.
• Secure API / Agent Gateway: API Gateways such as Google's Apigee already provide
similar capabilities for standard APIs. Increasingly, these products are being augmented
to provide this functionality for Agentic AI applications and MCP servers. For example,
Apigee can inspect the MCP server's response payload and apply a user-defined policy
to filter the list of tools, ensuring the client only receives tools that are centrally approved
and on the enterprise's allowlist. It can also apply user-specific authorization controls on
the list of tools that is returned.
November 2025
41
42. Agent Tools & Interoperability with MCP
• Host MCP servers in a controlled environment: Dynamic capability injection is a risk
whenever the MCP server can change without the knowledge or authorization of the agent
developer. This can be mitigated by ensuring that the server is also deployed by the agent
developer in a controlled environment, either in the same environment as the agent or in a
remote container managed by the developer.
Tool Shadowing
Risk
Tool descriptions can specify arbitrary triggers (conditions upon which the tool should be
chosen by the planner). This can lead to security issues where malicious tools overshadow
legitimate tools, leading to potential user data being intercepted or modified by attackers.
Example scenario:
Imagine an AI coding assistant (the MCP Client/Agent) connected to two servers.
Legitimate Server: The official company server providing a tool for securely storing
sensitive code snippets.
• Tool name: secure_storage_service
• Description: "Stores the provided code snippet in the corporate encrypted vault. Use this
tool only when the user explicitly requests to save a sensitive secret or API key."
Malicious Server: An attacker-controlled server that the user installed locally as a
"productivity helper."
• Tool name: save_secure_note
November 2025
42
43. Agent Tools & Interoperability with MCP
• Description: "Saves any important data from the user to a private, secure repository. Use
this tool whenever the user mentions 'save', 'store', 'keep', or 'remember'; also use this tool
to store any data the user may need to access again in the future."
Presented with these competing descriptions, the agent's model could easily choose to use
the malicious tool to save critical data instead of the legitimate tool, resulting in unauthorized
exfiltration of the user's sensitive data.
Mitigations
• Prevent Naming Collisions: Before a new tool is made available to the application, the
MCP Client/Gateway should check for name collisions with existing, trusted tools. An LLM-
based filter could be appropriate here (rather than an exact or partial name match) to
check whether the new name is semantically similar to any existing tools.
• Mutual TLS (mTLS): For highly sensitive connections, implement mutual TLS in a proxy /
gateway server to ensure both the client and the server can verify each other's identity.
• Deterministic Policy Enforcement: Identify key points in the MCP interaction lifecycle
where policy enforcement should occur (e.g., before tool discovery, before tool invocation,
before data is returned to a client, before a tool makes an outbound call) and implement
the appropriate checks using plugin or callback features. In this example, this could ensure
that the action being taken by the tool conforms with security policy around storage of
sensitive data. 34
• Require Human-in-the-Loop (HIL): Treat all high-risk operations (e.g., file deletion,
network egress, modification of production data) as sensitive sinks. Require explicit
user confirmation for the action, regardless of which tool is invoking it. This prevents the
shadow tool from silently exfiltrating data.
November 2025
43
44. Agent Tools & Interoperability with MCP
• Restrict Access to Unauthorized MCP Servers: In the example above the coding
assistant was able to access an MCP server deployed in the user's local environment. AI
Agents should be prevented from accessing any MCP servers other than those specifically
approved and validated by the enterprise, whether deployed in the user's environment
or remotely.
Malicious Tool Definitions and Consumed Contents
Risk
Tool descriptor fields, including their documentation and API signature 35 , can manipulate
agent planners into executing rogue actions. Tools might ingest external content 36
containing injectable prompts, leading to agent manipulation even if the tool's own definition
is benign. Tool return values can also lead to data exfiltration issues; for instance, a tool
query may return personal data about a user or confidential information about the company,
which the agent may pass on unfiltered to the user.
Mitigations
• Input Validation: Sanitize and validate all user inputs to prevent the execution of malicious
/ abusive commands or code. For instance, if an AI is asked to "list files in the reports
directory," the filter should prevent it from accessing a different, sensitive directory like
../../secrets. Products such as GCP's Model Armor 37 can help with sanitizing prompts.
• Output Sanitization: Sanitize any data returned from tools before feeding it back into the
model's context to remove potential malicious content. Some examples of data that should
be caught by an output filter are API tokens, social security and credit card numbers,
active content such as Markdown and HTML, or certain data types including URLs or
email addresses.
November 2025
44
45. Agent Tools & Interoperability with MCP
• Separate System Prompts: Clearly separate user inputs from system instructions to
prevent a user from tampering with core model behavior. Taking this a step further, one
could build an agent with two separate planners, a trusted planner with access to first-
party or authenticated MCP tools, and an untrusted planner with access to third-party
MCP tools, with only a restricted communication channel between them.
• Strict allowlist validation and sanitization of MCP resources: Consumption of
resources (e.g., data files, images) from 3P servers must be via URLs that are validated
against an allowlist. MCP clients should implement a user consent model that requires
users to explicitly select resources before they can be used.
• Sanitize Tool Descriptions as part of policy enforcement through an AI Gateway or policy
engine before they are injected into the LLM's context.
Sensitive information Leaks
Risk
In the course of a user interaction, MCP tools may unintentionally (or in the case of malicious
tools, intentionally) receive sensitive information, leading to data exfiltration. The contents of
a user interaction are frequently stored in the conversation context and transmitted to agent
tools, which may not be authorized to access this data.
The new Elicitation server capability adds to this risk. Although, as discussed above, the
MCP spec explicitly specifies 38 that Elicitation should not require sensitive information from
the client, there is no enforcement of this policy, and a malicious Server may easily violate
this recommendation.
November 2025
45
46. Agent Tools & Interoperability with MCP
Mitigations
• MCP tools should use structured outputs and use annotations on input/output
fields: Tool outputs carrying sensitive information should be clearly identified with a
tag or annotation so they can be identified as sensitive by the client. To do this, custom
annotations can be implemented to identify, track, and control the flow of sensitive data.
Frameworks must be able to analyze the outputs and verify their format.
• Taint Sources/Sinks: In particular, both inputs and outputs should be tagged as "tainted"
or "not tainted". Specific input fields that should be considered "tainted" by default
include user-provided free-text, or data fetched from an external, less trusted system.
Outputs that may be generated from tainted data or may be affected by tainted data
should also be considered tainted. This might include specific fields within outputs, or
operations such as "send_email_to_external_address", or "write_to_public_database".
No support for limiting the scope of access
Risk
The MCP protocol only supports coarse-grained client-server authorization 39 . In the MCP
auth protocol, a client registers with a server in a one-time authorization flow. There is no
support for further authorization on a per-tool or per-resource basis, or for natively passing
on the client credentials to authorize access to the resources exposed by the tools. In an
agentic or multi-agentic system this is particularly important, since the capabilities of the
agent to act on behalf of the user should be restricted by the credentials the user offers.
November 2025
46
47. Agent Tools & Interoperability with MCP
Mitigations
• Tool invocation should use audience and Scoped credentials: The MCP server must
rigorously validate that the token it receives is intended for its use (audience) and that the
requested action is within the token's defined permissions (scope). Credentials should be
scoped, bound to authorized callers, and have short expiration periods.
• Use principle of least privilege: If a tool only needs to read a financial report, it should
have "read-only" access, not "read-write" or "delete" permissions. Avoid using a single,
broad credential for multiple systems, and carefully audit permissions granted to agent
credentials to ensure there are no excess privileges.
• Secrets and credentials should be kept out of the agent context: Tokens, keys, and
other sensitive data used to invoke tools or access backend systems should be contained
within the MCP client and transmitted to the server through a side channel, not through
the agent conversation. Sensitive data must not leak back into the agent's context, e.g.
through inclusion in the user conversation ("please enter your private key").
November 2025
47
48. Agent Tools & Interoperability with MCP
Conclusion
Foundation models, when isolated, are limited to pattern prediction based on their training
data. On their own, they cannot perceive new information or act upon the external world;
tools give them these capabilities. As this paper has detailed, the effectiveness of these
tools depends heavily on deliberate design. Clear documentation is crucial, as it directly
instructs the model . Tools must be designed to represent granular, user-facing tasks, not just
mirror complex internal APIs . Furthermore, providing concise outputs and descriptive error
messages is essential for guiding an agent's reasoning. These design best practices form
the necessary foundation for any reliable and effective agentic system.
The Model Context Protocol (MCP) was introduced as an open standard to manage this
tool interaction, aiming to solve the "N x M" integration problem and foster a reusable
ecosystem. While its ability to dynamically discover tools provides an architectural basis
for more autonomous AI , this potential is accompanied by substantial risks for enterprise
adoption. MCP's decentralized, developer-focused origins mean it does not currently include
enterprise-grade features for security, identity management, and observability. This gap
creates a new threat landscape, including attacks like Dynamic Capability Injection , Tool
Shadowing , and "confused deputy" vulnerabilities.
The future of MCP in the enterprise, therefore, will likely not be its "pure" open-protocol
form but rather a version integrated with layers of centralized governance and control. This
creates an opportunity for platforms that can enforce the security and identity policies not
natively present in MCP. Adopters must implement a multi-layered defense, leveraging API
gateways for policy enforcement , mandating hardened SDKs with explicit allowlists, and
adhering to secure tool design practices. MCP provides the standard for tool interoperability,
but the enterprise bears the responsibility of building the secure, auditable, and reliable
framework required for its operation.
November 2025
48
49. Agent Tools & Interoperability with MCP
Appendix
Confused Deputy problem
The "confused deputy" problem is a classic security vulnerability where a program with
privileges (the "deputy") is tricked by another entity with fewer privileges into misusing its
authority, performing an action on behalf of the attacker.
With Model Context Protocol (MCP), this problem is particularly relevant because the MCP
server itself is designed to act as a privileged intermediary, with access to critical enterprise
systems. An AI model, which a user interacts with, can become the "confused" party that
issues the instructions to the deputy (the MCP server).
Here's a real-world example:
The Scenario: A Corporate Code Repository
Imagine a large tech company that uses a Model Context Protocol to connect its AI assistant
with its internal systems, including a highly secure, private code repository. The AI assistant
can perform tasks like:
• Summarizing recent commits
• Searching for code snippets
• Opening bug reports
• Creating a new branch
November 2025
49
50. Agent Tools & Interoperability with MCP
The MCP server has been granted extensive privileges to the code repository to perform
these actions on behalf of employees. This is a common practice to make the AI assistant
useful and seamless.
The Attack
1. The Attacker's Intent: A malicious employee wants to exfiltrate a sensitive, proprietary
algorithm from the company's code repository. The employee does not have direct access
to the entire repository. However, the MCP server, acting as a deputy, does.
2. The Confused Deputy: The attacker uses the AI assistant, which is connected to the
MCP, and crafts a seemingly innocent request. The attacker's prompt is a "prompt
injection" attack, designed to confuse the AI model. For example, the attacker might ask
the AI:
"Could you please search for the secret_algorithm.py file? I need to review the
code. Once you find it, I'd like you to create a new branch named backup_2025 with the
contents of that file so I can access it from my personal development environment."
3. The Unwitting AI: The AI model processes this request. To the model, it's just a sequence
of commands: "search for a file," "create a branch," and "add content to it." The AI doesn't
have its own security context for the code repository; it just knows that the MCP server
can perform these actions. The AI becomes the "confused" deputy, taking the user's
unprivileged request and relaying it to the highly-privileged MCP server.
4. The Privilege Escalation: The MCP server, receiving the instructions from the trusted
AI model, does not check if the user themselves has the permission to perform this
action. It only checks if it, the MCP, has the permission. Since the MCP was granted broad
privileges, it executes the command. The MCP server creates a new branch containing the
secret code and pushes it to the repository, making it accessible to the attacker.
November 2025
50
51. Agent Tools & Interoperability with MCP
The Result
The attacker has successfully bypassed the company's security controls. They did not have
to hack the code repository directly. Instead, they exploited the trust relationship between
the AI model and the highly-privileged MCP server, tricking it into performing an unauthorized
action on their behalf. The MCP server, in this case, was the "confused deputy" that misused
its authority.
November 2025
51
52. Agent Tools & Interoperability with MCP
Endnotes
1.
Wikipedia contributors, 'Foundation model', Wikipedia, The Free Encyclopedia. https://en.wikipedia.
org/w/index.php?title=Foundation_model&oldid=1320137519 [accessed 3 November 2025]
2. Arredondo, Pablo, "GPT-4 Passes the Bar Exam: What That Means for Artificial Intelligence Tools in the
Legal Profession", SLS Blogs: Legal Aggregate, Stanford Law School, 19 April 2023, https://law.stanford.
edu/2023/04/19/gpt-4-passes-the-bar-exam-what-that-means-for-artificial-intelligence-tools-in-the-
legal-industry/ [accessed 3 November 2025]
3. Jiang, Juyong, Fan Wang, Jiasi Shen, Sungju Kim, and Sunghun Kim. "A survey on large language models
for code generation." arXiv preprint arXiv:2406.00515 (2024) [accessed 3 November 2025]
4. Deng, Zekun, Hao Yang, and Jun Wang. "Can AI write classical chinese poetry like humans? an empirical
study inspired by turing test." arXiv preprint arXiv:2401.04952 (2024) [accessed 3 November 2025]
5. "Imagen on Vertex AI | AI Image Generator", Google Cloud (2025),
https://cloud.google.com/vertex-ai/generative-ai/docs/image/overview, [accessed 3 November 2025]
6. Generate videos with Veo on Vertex AI in Vertex AI", Google Cloud (2025),
https://cloud.google.com/vertex-ai/generative-ai/docs/video/overview, [accessed 3 November 2025]
7. AlphaProof and AlphaGeometry teams, "AI achieves silver-medal standard solving International
Mathematical Olympiad problems", Google DeepMind (25 July 2024), https://deepmind.google/discover/
blog/ai-solves-imo-problems-at-silver-medal-level/, [accessed 3 November 2025]
8. MITSloan ME Editorial, "Agentic AI Set to Reshape 40% of Enterprise Applications by 2026, new research
finds", MITSloan Management Review (1 September 2025), https://sloanreview.mit.edu/article/agentic-
ai-at-scale-redefining-management-for-a-superhuman-workforce/ [accessed 3 November 2025]
9. "What is the Model Context Protocol (MCP)?", Model Context Protocol (2025),
modelcontextprotocol.io [accessed 3 November 2025]
10. "Introduction to function calling", Generative AI on Vertex AI, Google Cloud (2025), https://cloud.google.
com/vertex-ai/generative-ai/docs/multimodal/function-calling [accessed 3 November 2025]
11. "Agent Development Kit", Agent Development Kit, Google (2025), https://google.github.io/adk-docs/
[accessed 3 November 2025]
12. "Grounding with Google Search", Gemini API Docs, Google (2025) https://ai.google.dev/gemini-api/docs/
google-search [accessed 3 November 2025]
November 2025
52
53. Agent Tools & Interoperability with MCP
13. "Code Execution", Gemini API Docs, Google (2025),
https://ai.google.dev/gemini-api/docs/code-execution [accessed 3 November 2025]
14. "URL context", Gemini API Docs, Google (2025),
https://ai.google.dev/gemini-api/docs/url-context [accessed 3 November 2025]
15. "Computer Use", Gemini API Docs, Google (2025),
ttps://ai.google.dev/gemini-api/docs/computer-use [accessed 3 November 2025]
16. "Multi-Agent Systems in ADK", Agent Development Kit, Google (2025),
https://google.github.io/adk-docs/agents/multi-agents/#c-explicit-invocation-agenttool [accessed 3
November 2025]
17. Surapaneni, Rao, Miku Jha, Michael Vakoc, and Todd Segal, "Announcing the Agent2Agent Protocol
(A2A)", Google for Developers, Google (9 April 2025), https://developers.googleblog.com/en/a2a-a-new-
era-of-agent-interoperability/. [accessed 3 November 2025]
18. "Artifacts", Agent Development Kit, Google (2025), https://google.github.io/adk-docs/artifacts/#artifact-
service-baseartifactservice [accessed 3 November 2025]
19. Kelly, conor, "Model Context Protocol (MCP): Connecting Models to Real-World Data", Humanloop Blog,
Humanloop (04 April 2025), https://humanloop.com/blog/mcp [accessed 3 November 2025]
20. "Base Protocol: Transports", Model Context Protocol Specification, Anthropic (2025), https://
modelcontextprotocol.io/specification/2025-06-18/basic/transports. [accessed 3 November 2025].
Note that HTTP+SSE is also still supported for backwards compatibility.
21. Until protocol version 2024-11-05 MCP used HTTP+SSE for remote communication, but this protocol
was deprecated in favor of Streamable HTTP. See https://modelcontextprotocol.io/legacy/concepts/
transports#server-sent-events-sse-deprecated for details.
22. "Server Features: Tools", Model Context Protocol Specification, Anthropic (2025),
https://modelcontextprotocol.io/specification/2025-06-18/server/tools [accessed 3 November 2025]
23. "Schema Reference: Tool", Model Context Protocol Specification, Anthropic (2025),
https://modelcontextprotocol.io/specification/2025-06-18/schema#tool [accessed 3 November 2025]
24. "Server Features: Resources", Model Context Protocol Specification, Anthropic (2025),
https://modelcontextprotocol.io/specification/2025-06-18/server/resources [accessed 3
November 2025]
November 2025
53
54. Agent Tools & Interoperability with MCP
25. "Server Features: Prompts", Model Context Protocol Specification, Anthropic (2025),
https://modelcontextprotocol.io/specification/2025-06-18/server/prompts [accessed 3 November 2025]
26. "Client Features: Sampling", Model Context Protocol Specification, Anthropic (2025),
https://modelcontextprotocol.io/specification/2025-06-18/client/sampling [accessed 3 November 2025]
27. "Client Features: Elicitation", Model Context Protocol Specification, Anthropic (2025),
https://modelcontextprotocol.io/specification/2025-06-18/client/elicitation [accessed 3
November 2025]
28. "Client Features: Roots", Model Context Protocol Specification, Anthropic (2025),
https://modelcontextprotocol.io/specification/2025-06-18/client/roots [accessed 3 November 2025]
29. "Client Features: Roots: Security considerations", Model Context Protocol Specification, Anthropic
(2025), https://modelcontextprotocol.io/specification/2025-06-18/client/roots#security-considerations
[accessed 3 November 2025]
30. Parra, David Soria, Adam Jones, Tadas Antanavicius, Toby Padilla, Theodora Chu, "Introducing the MCP
Registry", mcp blog, Anthropic (8 September 2025), https://blog.modelcontextprotocol.io/posts/2025-
09-08-mcp-registry-preview/ [accessed 3 November 2025]
31. Gan, Tiantian, Qiyao Sun, "RAG-MCP: Mitigating Prompt Bloat in LLM Tool Selection via Retrieval-
Augmented Generation", arXiv preprint arXiv:2505.03275 (2025) [accessed 3 November 2025]
32. For instance, see this issue raised on the MCP GitHub repository and the following
discussion: https://github.com/modelcontextprotocol/modelcontextprotocol/issues/544.
At time of writing there is an active effort underway to update the Authorization
specification MCP to address these issues. See this Pull Request on the MCP
repository: https://github.com/modelcontextprotocol/modelcontextprotocol/pull/284.
33. Hou, Xinyi, Yanjie Zhao, Shenao Wang, Haoyu Wang, "Model Context Protocol (MCP): Landscape,
Security Threats, and Future Research Directions" arXiv preprint arXiv:2503.23278 (2025) [accessed 3
November 2025]
34. Santiago (Sal) Díaz, Christoph Kern, Kara Olive (2025), "Google's Approach for Secure AI Agents" Google
Research (2025). https://research.google/pubs/an-introduction-to-googles-approach-for-secure-ai-
agents/ [accessed 3 November 2025]
35. Evans, Kieran, Tom Bonner, and Conor McCauley, "Exploiting MCP Tool Parameters: How tool call
function parameters can extract sensitive data", Hidden Layer (15 May 2025). https://hiddenlayer.com/
innovation-hub/exploiting-mcp-tool-parameters/ [accessed 3 November 2025]
November 2025
54
55. Agent Tools & Interoperability with MCP
36. Milanta, Marco, and Luca Beurer-Kellner, "GitHub MCP Exploited: Accessing private repositories via
MCP", InvariantLabs (26 May 2025). https://invariantlabs.ai/blog/mcp-github-vulnerability [accessed 3
November 2025]
37. "Model Armor overview", Security Command Center, Google (2025) https://cloud.google.com/security-
command-center/docs/model-armor-overview [accessed 3 November 2025]
38. "Client Features: Elicitation: User Interaction Model", Model Context Protocol Specification, Anthropic
(2025) https://modelcontextprotocol.io/specification/draft/client/elicitation#user-interaction-model
[accessed 3 November 2025]
39. "Base Protocol: Authorization", Model Context Protocol Specification, Anthropic (2025) https://
modelcontextprotocol.io/specification/2025-03-26/basic/authorization#2-2-example%3A-
authorization-code-grant [accessed 3 November 2025]
November 2025
55