The evolution of Large Language Model (LLM) and Model Context Protocol (MCP) have facilitated the development of various MCP servers and tools that extend LLM capabilities, allowing LLMs to interact with external services and content. However, these servers also introduce new security threats. Specifically, they are granted privileges to automate tasks such as email processing and cloud infrastructure management. Due to the inherent instability of LLM outputs and their susceptibility to manipulation, attackers can exploit LLMs to illicitly invoke these tools, causing severe damage. Therefore, the analysis and control of privileges for LLM servers are of paramount importance.
This research designs an automated analysis framework to analyze MCP servers and their associated tools. Through static analysis, the framework identifies the privileged APIs called by these tools and their invocation methods. It then categorizes these privileges based on their sensitivity and corresponding behaviors to investigate the current state of privilege usage. We collected 1609 MCP servers and conducted a detailed analysis of 200, revealing that each server requests an average of 40.47s. Furthermore, a significant 52% of these privilege validations rely on API tokens and passwords, which fails to adhere to the principle of least privilege. This study calls for developers to implement stricter privilege controls for MCP servers and actively explore more secure authorization mechanisms.
DownLoad: