← Back to Blog

MCP Composition Scanner: Detecting Emergent Security Risks in Multi-Server Agent Ecosystems

Introducing the first cross-server MCP capability composition analyzer - detecting risks invisible to individual server reviews when frontier models chain tools across server boundaries

📅 February 27, 2026 ✍️ Philippe Bogaerts ⏱️ 3 min read 📁 Security
MCP AI Security Agentic Research Open Source

MCP Composition Scanner: Detecting Emergent Security Risks in Multi-Server Agent Ecosystems

MCP adoption is accelerating - 97 million monthly SDK downloads, 10,000+ active servers - but security tooling hasn't kept up. Most analysis today focuses on individual MCP servers in isolation. That misses a critical blind spot: what happens when frontier models have simultaneous access to tools across multiple MCP servers?

The Problem

When an agent can chain tools from different servers, it can compose capabilities that exceed what any single tool provides. Each step looks benign. The composed trajectory becomes dangerous. We call this a Composition Surplus - an emergent capability that only exists through multi-server tool composition, completely invisible to per-server review.

Think of it this way: Server A gives you credential access. Server B gives you financial transactions. Neither is dangerous alone. Together, an agent can retrieve leaked credentials and make unauthorized purchases. No individual server audit would catch this.

What We Built

The MCP Composition Scanner is the first documented cross-server MCP capability composition analyzer. It performs pre-authorization analysis - evaluating risk before tools are co-authorized, not at runtime when it's already too late.

The scanner connects to multiple MCP servers, maps tool capabilities, detects composition surpluses across server boundaries, and produces actionable governance decisions: ALLOW, BLOCK, or ALLOW_WITH_CONSTRAINTS. This maps directly to how enterprises need to make authorization decisions in production.

It also includes an intent analyzer that uses AI to examine tool descriptions and detect potentially unsafe capabilities before agents can invoke them.

The Research

The theoretical framework behind the scanner - including the composition surplus operator, the Capability-Delta Hack attack class, governance gap taxonomy, and defense architecture - is documented in our research paper:

P. Bogaerts, "Emergent Capability Composition in Agentic AI Tool Ecosystems: Security Implications of Cross-Protocol Tool Chaining in MCP and A2A Architectures," 2026.

Read the full paper: PDF on GitHub

Get Involved

The MCP Composition Scanner is open source under Apache 2.0. Try it on your own MCP server setup, break it, contribute to it.