This paper addresses novel security challenges in the Model Context Protocol (MCP) ecosystem arising from the decoupling of context and execution, systematically exposing risks of privilege escalation via weaponized context—and for the first time, rigorously distinguishing adversarial security threats from cognitive security risks (e.g., hallucination-induced privilege escalation). Method: We propose a “provenance–verification” collaborative defense framework comprising cryptographic context provenance (ETDI), runtime intent validation, and prompt injection detection to identify structural vulnerabilities in MCP’s core primitives. We establish a three-dimensional threat taxonomy spanning resources, prompts, and tools, and empirically evaluate existing mitigation mechanisms. Contribution/Results: Our work delivers the first systematic security assurance framework for agent-based AI operating systems, including a principled vulnerability analysis, a comprehensive threat classification, and an evolutionary roadmap toward secure autonomous agent systems.

The Model Context Protocol (MCP) has emerged as the de facto standard for connecting Large Language Models (LLMs) to external data and tools, effectively functioning as the "USB-C for Agentic AI." While this decoupling of context and execution solves critical interoperability challenges, it introduces a profound new threat landscape where the boundary between epistemic errors (hallucinations) and security breaches (unauthorized actions) dissolves. This Systematization of Knowledge (SoK) aims to provide a comprehensive taxonomy of risks in the MCP ecosystem, distinguishing between adversarial security threats (e.g., indirect prompt injection, tool poisoning) and epistemic safety hazards (e.g., alignment failures in distributed tool delegation). We analyze the structural vulnerabilities of MCP primitives, specifically Resources, Prompts, and Tools, and demonstrate how "context" can be weaponized to trigger unauthorized operations in multi-agent environments. Furthermore, we survey state-of-the-art defenses, ranging from cryptographic provenance (ETDI) to runtime intent verification, and conclude with a roadmap for securing the transition from conversational chatbots to autonomous agentic operating systems.