Overthinking Loops in Agents: A Structural Risk via MCP Tools
This exposes a supply-chain attack surface in AI agents that coordinate real workloads, highlighting a critical security issue for developers and users of such systems.
The paper tackles the security vulnerability in tool-using LLM agents where malicious MCP tool servers can induce overthinking loops, leading to severe resource amplification of up to 142.4 times more tokens and degraded task outcomes.
Tool-using LLM agents increasingly coordinate real workloads by selecting and chaining third-party tools based on text-visible metadata such as tool names, descriptions, and return messages. We show that this convenience creates a supply-chain attack surface: a malicious MCP tool server can be co-registered alongside normal tools and induce overthinking loops, where individually trivial or plausible tool calls compose into cyclic trajectories that inflate end-to-end tokens and latency without any single step looking abnormal. We formalize this as a structural overthinking attack, distinguishable from token-level verbosity, and implement 14 malicious tools across three servers that trigger repetition, forced refinement, and distraction. Across heterogeneous registries and multiple tool-capable models, the attack causes severe resource amplification (up to $142.4\times$ tokens) and can degrade task outcomes. Finally, we find that decoding-time concision controls do not reliably prevent loop induction, suggesting defenses should reason about tool-call structure rather than tokens alone.