IntentMiner: Intent Inversion Attack via Tool Call Analysis in the Model Context Protocol
This exposes a critical vulnerability in next-generation AI agents, posing a privacy threat for users of systems like MCP, though it is incremental as it builds on known decoupled architectures.
The paper tackles the privacy risk in AI agents using the Model Context Protocol (MCP) by introducing IntentMiner, an attack that reconstructs user intents from tool metadata without raw queries, achieving over 85% semantic alignment in experiments.
The evolution of Large Language Models (LLMs) into Agentic AI has established the Model Context Protocol (MCP) as the standard for connecting reasoning engines with external tools. Although this decoupled architecture fosters modularity, it simultaneously shatters the traditional trust boundary. We uncover a novel privacy vector inherent to this paradigm: the Intent Inversion Attack. We show that semi-honest third-party MCP servers can accurately reconstruct users' underlying intents by leveraging only authorized metadata (e.g., function signatures, arguments, and receipts), effectively bypassing the need for raw query access. To quantify this threat, we introduce IntentMiner. Unlike statistical approaches, IntentMiner employs a hierarchical semantic parsing strategy that performs step-level intent reconstruction by analyzing tool functions, parameter entities, and result feedback in an orthogonal manner. Experiments on the ToolACE benchmark reveal that IntentMiner achieves a semantic alignment of over 85% with original queries, substantially surpassing LLM baselines. This work exposes a critical endogenous vulnerability: without semantic obfuscation, executing functions requires the transparency of intent, thereby challenging the privacy foundations of next-generation AI agents.