Securing MCP-based Agent Workflows

AI agents are becoming more capable and increasingly integrated into daily life, spanning both enterprise systems and personal applications. However, this adoption introduces new security risks, particularly data leakage through indirect prompt injection attacks. To address this challenge, we present SAMOS, an Information Flow Control (IFC) system designed for the Model Context Protocol (MCP). SAMOS operates at the gateway level, intercepting all MCP tool calls and enforcing security policies based on annotations provided by the agent developer or deployment administrator. By tracking session-level context, SAMOS ensures that information flows remain within intended boundaries and detects policy violations in real time. We validate SAMOS's effectiveness through a case study of a recent vulnerability in the GitHub MCP server, demonstrating that SAMOS can successfully block such attacks while preserving the original functionality.