Overview
The Model Context Protocol (MCP) is the primary method for agents to discover and invoke external tools. This process involves a tools/list handshake, which provides tool metadata including a name, a natural-language description, and a JSON input schema. This metadata is presented to a user in a one-time approval dialog and then injected verbatim into the model's context for subsequent interactions. A structural discrepancy exists where the rendered approval view and the bytes delivered to the model can differ.
Research Context
The research focuses on the 'approval-view fidelity gap' within MCP, specifically examining how a difference between the human-visible approval rendering and the data delivered to the model's tokenizer can be exploited. This gap is identified as a 'concealment encoding' mechanism. The study explores the effectiveness of using Unicode's TAG block (U+E0000 to U+E007F), which lacks assigned glyphs in common rendering environments (terminals, chat applications, IDEs), to embed payloads that are invisible to human reviewers but are transmitted byte-for-byte to the model's tokenizer.
Approach
The initial phase of the research involved a model-free, protocol-free analysis to establish that Unicode's TAG block characters are not rendered visibly in mainstream user interfaces but survive byte-for-byte transmission. Following this, a proof-of-concept system was developed to interact with genuine MCP clients and servers, utilizing the real MCP JSON-RPC/stdio protocol.
The researchers implemented eight distinct techniques across five different MCP metadata surfaces. These techniques were tested using a deterministic, protocol-level harness. To ensure the findings were not specific to a single server codebase, the complete catalogue of techniques was re-implemented and tested against three independently developed Python MCP server libraries.
The study also incorporated a representative string-matching sanitizer to observe its efficacy against the implemented techniques and tested for re-approval requirements under a 'time-of-check to time-of-use rug-pull' scenario.
Findings
- The identified concealment encoding mechanism, leveraging Unicode's TAG block, allows payloads to be absent from a human reviewer's view while surviving byte-for-byte into the model's tokenizer.
- All eight implemented techniques successfully delivered an attacker-controlled payload into the model's context.
- Four of the eight techniques evaded the representative string-matching sanitizer.
- Only the TAG-block encoding technique (1 of 8) was invisible in the human approval view while reaching the model verbatim, consistent with the mechanism analysis.
- MCP did not force re-approval for 0 out of 8 techniques, even when a 'time-of-check to time-of-use rug-pull' scenario was applied.
- Testing against three independently developed Python MCP server libraries showed total agreement across all 32 cross-library outcome cells, indicating the findings are a property of the protocol rather than an artifact of a specific server codebase.
- The baseline sanitizer did not flag any of 25 benign descriptions.
Why This Matters
The identified fidelity gap and the demonstrated concealment encoding mechanism indicate a potential vulnerability in how coding agents discover and invoke external tools via the Model Context Protocol. The ability to inject invisible payloads into a model's context, bypassing human review and existing sanitization, highlights a security concern within systems relying on MCP for tool interaction. The consistency of findings across multiple server implementations suggests this is a systemic protocol characteristic.