Saved in:
Bibliographic Details
Main Authors: Yuan, Zhuowen, Chen, Zhaorun, Xiang, Zhen, Bastian, Nathaniel D., Hashemi, Seyyed Hadi, Xiao, Chaowei, Guo, Wenbo, Li, Bo
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2604.04426
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866914448056254464
author Yuan, Zhuowen
Chen, Zhaorun
Xiang, Zhen
Bastian, Nathaniel D.
Hashemi, Seyyed Hadi
Xiao, Chaowei
Guo, Wenbo
Li, Bo
author_facet Yuan, Zhuowen
Chen, Zhaorun
Xiang, Zhen
Bastian, Nathaniel D.
Hashemi, Seyyed Hadi
Xiao, Chaowei
Guo, Wenbo
Li, Bo
contents Existing research on LLM agent security mainly focuses on prompt injection and unsafe input/output behaviors. However, as agents increasingly rely on third-party tools and MCP servers, a new class of supply-chain threats has emerged, where malicious behaviors are embedded in seemingly benign tools, silently hijacking agent execution, leaking sensitive data, or triggering unauthorized actions. Despite their growing impact, there is currently no comprehensive benchmark for evaluating such threats. To bridge this gap, we introduce SC-Inject-Bench, a large-scale benchmark comprising over 10,000 malicious MCP tools grounded in a taxonomy of 25+ attack types derived from MITRE ATT&CK targeting supply-chain threats. We observe that existing MCP scanners and semantic guardrails perform poorly on this benchmark. Motivated by this finding, we propose ShieldNet, a network-level guardrail framework that detects supply-chain poisoning by observing real network interactions rather than surface-level tool traces. ShieldNet integrates a man-in-the-middle (MITM) proxy and an event extractor to identify critical network behaviors, which are then processed by a lightweight classifier for attack detection. Extensive experiments show that ShieldNet achieves strong detection performance (up to 0.995 F-1 with only 0.8% false positives) while introducing little runtime overhead, substantially outperforming existing MCP scanners and LLM-based guardrails.
format Preprint
id arxiv_https___arxiv_org_abs_2604_04426
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle ShieldNet: Network-Level Guardrails against Emerging Supply-Chain Injections in Agentic Systems
Yuan, Zhuowen
Chen, Zhaorun
Xiang, Zhen
Bastian, Nathaniel D.
Hashemi, Seyyed Hadi
Xiao, Chaowei
Guo, Wenbo
Li, Bo
Artificial Intelligence
Existing research on LLM agent security mainly focuses on prompt injection and unsafe input/output behaviors. However, as agents increasingly rely on third-party tools and MCP servers, a new class of supply-chain threats has emerged, where malicious behaviors are embedded in seemingly benign tools, silently hijacking agent execution, leaking sensitive data, or triggering unauthorized actions. Despite their growing impact, there is currently no comprehensive benchmark for evaluating such threats. To bridge this gap, we introduce SC-Inject-Bench, a large-scale benchmark comprising over 10,000 malicious MCP tools grounded in a taxonomy of 25+ attack types derived from MITRE ATT&CK targeting supply-chain threats. We observe that existing MCP scanners and semantic guardrails perform poorly on this benchmark. Motivated by this finding, we propose ShieldNet, a network-level guardrail framework that detects supply-chain poisoning by observing real network interactions rather than surface-level tool traces. ShieldNet integrates a man-in-the-middle (MITM) proxy and an event extractor to identify critical network behaviors, which are then processed by a lightweight classifier for attack detection. Extensive experiments show that ShieldNet achieves strong detection performance (up to 0.995 F-1 with only 0.8% false positives) while introducing little runtime overhead, substantially outperforming existing MCP scanners and LLM-based guardrails.
title ShieldNet: Network-Level Guardrails against Emerging Supply-Chain Injections in Agentic Systems
topic Artificial Intelligence
url https://arxiv.org/abs/2604.04426