sovereign-mcp

FrozenNamespace as Root of Trust for Model Context Protocol Tool Verification

*Sovereign Shield / Mattijs Moens — March 2026*

[](https://www.python.org/downloads/) [](LICENSE) []()

---

MCP (Model Context Protocol) has become the standard for connecting AI agents to tools. But the protocol has fundamental security gaps that no amount of patching will fix without an architectural solution.

The 10 biggest MCP vulnerabilities today:

1. No authentication by default. 78% of public MCP implementations have no proper authorization. Anyone who can reach the endpoint can invoke any tool.

1. Tool description poisoning. Malicious content embedded in MCP tool descriptions gets read by the model during tool discovery. The model trusts descriptions as instructions. An attacker can manipulate agent behavior just by modifying a tool's description field.

1. Prompt injection via tool responses. A compromised MCP tool returns prompt injection payloads in its response. The agent processes the response as trusted context and follows the injected instructions. The attack comes from a "trusted" source.

1. Cross-tool context leakage. Data from one tool invocation leaks into subsequent tool calls within the same session. No isolation between tool contexts. Sensitive data from Tool A is visible when Tool B runs because it all lives in the same LLM context window.

1. No input validation. MCP tools receive raw parameters with no schema validation. SQL injection, path traversal, and command injection through tool parameters.

1. Excessive permissions. MCP tools get broad system access with no least-privilege scoping. A "read file" tool that can actually read the e