MCP Security Extension: Attested Tool-Server Admission for LLM Agents
A new security mechanism, mcp-attested, addresses the trust gap in the Model Context Protocol (MCP) by enabling hosts to verify and bound tool-server access for LLM agents. Developed from the need to safely integrate Google's MCP servers (Gmail, Calendar, Drive) with the Enclawed agent, the system adds three offline-signed mechanisms without altering MCP or the tool API. The solution is open-sourced in enclawed-oss and enclaved distributions, generalizing to any regulated deployment requiring third-party tool admission.
Key facts
- MCP standardizes message exchange between LLM agents and tool servers but lacks trust mechanisms.
- mcp-attested was built to let the Enclawed agent use Google's MCP servers safely.
- Google's servers include Gmail, Calendar, and Drive.
- The mechanism bounds which servers and tools an agent may use.
- It does not change MCP or Enclawed's tool API.
- mcp-attested is shipped in both open enclawed-oss and enclaved distributions.
- Three additive offline-signed mechanisms close the trust gap.
- The solution generalizes to any unmediated third-party connection.
Entities
Institutions
- arXiv
- Enclawed
- enclawed-oss
- enclaved