Preventing Multimodal Cross-Domain Resource Abuse in MCP Tools

The Model Context Protocol (MCP) is an open source protocol that standardizes how Large Language Models (LLMs) interact with their environment through programmatic functions called tools. Attackers or malicious agents can abuse specific modalities of these MCP tools to diminish the overall quality of service of an agent-based application. For example, a social networking or dating tool might use an excessively large radius parameter that strains the server, or an agent might deliberately request YouTube videos of extreme length. These behaviors cause high resource consumption on servers, leading potentially to denial of service or degraded performance.

Each modality (images, video, text, database queries, etc) has unique vectors for exploitation, making it difficult for security practitioners to identify consistent, reusable patterns of resource abuse. Different tools and applications across these modalities may use distinct request schemas and parameters to exert resource pressure, requiring cross-cutting policies that are generic yet precise enough to enforce reasonable caps.

In this case study, we examine the prevalence of unrestricted resource consumption across different tool modalities exposed by MCP servers, analyzing 2,422 tools across 148 MCP servers listed in the OpenTools MCP server registry. Next, we leverage and evaluate LLMs to identify and classify tool requests that exhibit resource abuse patterns across these modalities. Finally, we assess the effectiveness of security policy enforcement by interposing this component into agent tool interactions through integration with an Open Policy Agent (OPA) policy engine and utilizing the open source ContextForge MCP Gateway pluggable security framework.