Agent protocol composition risks are flying under the radar
Agent protocol composition risks are flying under the radar.
They come from implicit authority transfer, missing consent boundaries, and weak audit visibility across protocol boundaries.
Palo Alto Networks and Meta performed a security assurance review and composition analysis of five agent protocols.
Highlights:
- 35 specification-level findings and 80 implementation tests against production SDKs.
- 30 additional failures that emerge only under protocol composition.
- Only one protocol enforces a security-relevant control in practice.
- No protocol enforces cross-protocol behavior.
My take:
- The most common case, MCP↔ACP-Client, shows that sanitization, local-action control, and cross-protocol behavior are spread across different parties with no single control over the full path.
- Protocol implementation matters, but composition safety and responsibility gaps create less visible risks.
- I agree with the authors that composition failures are hard to fix and often survive the normal disclosure pipeline: the responsibility chain has no clear endpoint. The authors propose composition contracts and enforcement responsibility for the runtimes, but I'm not sure it's implementable in practice at this stage of the protocol wars.