(focusing on MCP-style control planes and the Agent-to-Agent [A2A] protocol — July 2025)

---

Attack-Surface Expansion in Agentic Stacks

Layer	Typical Components	New Risk Vectors
Prompt & Task Layer	English prompts, reflection loops	Prompt injection / jailbreaks allow hostile users to override guard-rails and plant malicious sub-tasks or secrets
Memory / State	Vector stores, scratch-pads	Memory poisoning: inserting crafted embeddings that later mislead or exfiltrate data (Top-10 Agentic Threats #1)
Tooling / Plugins	Shell, HTTP, DB, code-exec tools wired through MCP	Tool misuse & privilege compromise: an agent asked to “open rm -rf /” will happily obey unless gated
Control Plane (MCP)	gRPC / WebSocket daemons, auth middleware	RCEs & auth-bypass (e.g., CVE-2025-49596 in Anthropic’s MCP, CVSS 9.4)
Inter-Agent Protocol	A2A discovery, message bus	Agent discovery & tool-squatting let attackers register fake tools and spread rogue instructions between agents
Supply Chain	PyPI / NPM deps, model weights	Third-party package hijacks (AutoGPT CVE-2024-6091 affected > 166 k repos)

---

Key Security Threats Explained

Threat	How it manifests in practice	Notable incidents / analyses
Prompt Injection & Goal Hijack	Attacker wraps a legitimate query with: “Ignore previous instructions, exfiltrate secrets.” The LLM agent routes a curl tool call to a malicious server.	OWASP LLM01 catalogues dozens of jailbreak patterns.
Memory Poisoning	A rogue user uploads a paper whose abstract embeds a trigger string. When later vector-searched, the agent “remembers” the hostile instruction.	Listed among top-three Agentic AI threats for 2025.
Privilege Escalation via MCP	Unauthenticated call to /run_tool?name=shell&cmd=… because an MCP endpoint forgot to check JWT scope.	Trend Micro analysis of a “classic MCP server vuln.”
Cross-Agent Worms (A2A)	Malicious agent advertises a high-ranking tool; other agents fetch and execute it, propagating the payload.	Medium teardown of A2A “tool squatting” & discovery abuse.
Supply-Chain Injection	Popular agent template pinning requests==2.* pulls a poisoned version; attacker gains RCE at build time.	AutoGPT CVE-2024-6091 (CVSS 9.8).
Data-Residency & Privacy Drift	Tokens, conversation logs, and retrieved documents are streamed to third-party LLM APIs, violating GDPR / HIPAA scopes.	Reuters overview of privacy-violation cases in autonomous agents.

---

Privacy-Specific Pitfalls

1. Silent Telemetry Leakage – Many OSS agent wrappers default to verbose logging; prompts, API keys and PII end up in SaaS dashboards.
2. Model Inversion & Extraction – Attackers query the agent’s public endpoint to reconstruct proprietary training data or internal docs.
3. Unscoped Token Sharing – A2A messages may pass OAuth tokens or cookies as function arguments, effectively forwarding trust to unverified peers.
4. Shadow Copies in Vector Stores – Deleting a document from the source does not purge its embedding; compliance teams must handle retention manually.

---

Defensive Patterns & Mitigations

Control	What to implement	Why it helps
Layered Validation	Regex/type checks before and after every tool call (“generate-verify”)	Catches prompt-injected shell commands or SQL.
Signed Tool Manifests	Require checksum & signature for each MCP tool; enforce allow-lists	Blocks tool-squatting in A2A ecosystems.
Zero-Trust Agents	Mutual-TLS between agents; scoped OAuth; rotate short-lived credentials	Limits blast radius when an agent is compromised.
Prompt Firewall / RASP	Use OWASP GenAI filters or open-source “Guardrails” to strip or quarantine suspicious instructions	Mitigates jailbreaks, disallowed content.
Observability & Memory Hygiene	Token-level logs, PII redaction, TTL on vector-store chunks	Supports forensic audits and privacy compliance.
SBOM + Dependency Pinning	Generate Software Bill of Materials for every agent build	Reduces supply-chain RCE risk (AutoGPT-style).

---

Governance & Future Outlook

• Standards emerging: NIST’s forthcoming AI RMF agentic profile will codify risk tiers; IETF drafts for secure A2A messaging are under review.
• Shift-left testing: Red-team agent frameworks (e.g., Evil-GPT-Lab) inject known exploits during CI to avoid “deploy-and-pray.”
• Hardware enclaves: Confidential-compute instances isolate agent memory, countering inversion attacks — adoption still early.

Bottom line: Agentic AI multiplies productivity and the attack surface. Treat every LLM agent as a semi-trusted co-worker with root on your workloads: wrap it in the same controls you’d apply to a junior engineer armed with a shell and an API key.