Agent Protocols Fail at the Seams | Focused Labs

Agent Protocols Fail at the Seams | Focused Labs

智能体协议在衔接处失效 | Focused Labs

The agent protocols are becoming integrated into normal software infrastructure, making integration easier. And this is making ownership blurrier. These all make integration easier, so that’s great for product teams that want agents working together quickly. But then this becomes another failure surface in addition to specification. In this case, content flows quickly, and so do the different standards for delegation and state and all the rest. Meanwhile, ownership has traditionally moved more slowly through the org chart than that, so the mismatch becomes a problem for everybody.

智能体协议正逐渐融入常规软件基础设施,使得集成变得更加容易。然而,这也导致了权责界限变得模糊。虽然这些协议简化了集成,对那些希望智能体快速协作的产品团队来说是件好事,但它同时也成为了除规范之外的另一个故障面。在这种情况下,内容流动迅速,关于授权、状态以及其他方面的各种标准也随之快速更迭。与此同时,组织架构中的权责归属通常演进得较慢,这种错位便成了困扰所有人的问题。

Research is emerging around the integration of different agent protocols and the security of their composition. A 2026 paper, Formal Security Analysis of Agent Protocol Composition, investigates five agent protocols, finds 35 specification-level findings, backs them with 80 detailed implementation tests, and adds 30 failures found when the protocols were composed together as part of a larger system.

围绕不同智能体协议的集成及其组合安全性,相关研究正在涌现。2026 年的一篇论文《智能体协议组合的形式化安全分析》(Formal Security Analysis of Agent Protocol Composition)调查了五种智能体协议,发现了 35 个规范层面的问题,并通过 80 项详细的实现测试进行了验证,此外还发现了 30 个当这些协议作为更大系统的一部分组合在一起时所产生的故障。

Finally, the years of pressuring AI agent vendors to connect together are starting to bear fruit. Work that can be done by isolated ‘agents’ is child’s play. The work of an enterprise is to cross boundaries in every direction. It has to traverse files, work items, schedules, databases, customer records in CRM systems, web pages viewed in browsers, software repositories, and APIs for internal services. Clean locally. Sketchy globally. Protocols standardize communication, not responsibility.

最终,多年来推动 AI 智能体供应商实现互联的努力开始结出硕果。孤立的“智能体”所能完成的工作只是小儿科。企业的核心工作在于跨越各个方向的边界。它必须穿梭于文件、工作项、日程安排、数据库、CRM 系统中的客户记录、浏览器查看的网页、软件仓库以及内部服务的 API 之间。局部清晰,全局却充满隐患。协议标准化了通信,而非责任。

Note to buyers: IBM’s useful definition says AI agent protocols standardize communication among AI agents and between agents and other system components; they do not standardize workflow coordination, execution, or optimization. Don’t make the stupid mistake of believing protocol support automatically includes control plane functionality.

给买家的提示:IBM 的一个实用定义指出,AI 智能体协议标准化了 AI 智能体之间以及智能体与其他系统组件之间的通信;它们并不标准化工作流的协调、执行或优化。不要犯那种认为支持协议就自动包含控制平面功能的愚蠢错误。

MCP (Model Context Protocol) allows agents to discover tools and call them. A2A (Agent to Agent) allows independent agents to interact with each other using a standard interface. ACP (Agent Communication Protocol) allows agents to interact with each other using a REST interface (synchronous and asynchronous, streaming, stateful and stateless, online and offline, long running etc). It describes a thick grammar layer. Grammar does not decide who can touch payroll.

MCP(模型上下文协议)允许智能体发现并调用工具。A2A(智能体对智能体)允许独立的智能体使用标准接口相互交互。ACP(智能体通信协议)允许智能体使用 REST 接口(支持同步与异步、流式传输、有状态与无状态、在线与离线、长任务等)进行交互。它描述了一个厚重的语法层。但语法并不能决定谁有权访问工资单。

The A2A 1.0 specification describes A2A in terms of three layers: the canonical data model, abstract operations, and bindings to specific protocols. Appendix A gives the enterprise pattern in miniature. An A2A client agent asks an A2A server agent to perform work. The server agent can then use tools and APIs supported by MCP. The architecture is useful for enterprise work and is exactly the direction people are moving AI agents.

A2A 1.0 规范从三个层面描述了 A2A:规范数据模型、抽象操作以及针对特定协议的绑定。附录 A 给出了企业模式的缩影。一个 A2A 客户端智能体请求 A2A 服务器智能体执行工作,服务器智能体随后可以使用 MCP 支持的工具和 API。这种架构对企业工作非常有用,也正是人们推动 AI 智能体发展的方向。

ACP explicitly states the quiet part. The Agent Communication Protocol docs pitch interoperability between different frameworks, teams, and infrastructures. ACP exposes a REST API and is therefore opaque to the method calling the API. It supports long-running tasks, cancellation, streaming messages, and discovery. But as always: what looks valid as a method call can still be wrong when executed at runtime as part of a longer composed path of actions. The risky boundary is where locally valid protocol calls become one composed path.

ACP 明确指出了那些心照不宣的事实。智能体通信协议文档强调了不同框架、团队和基础设施之间的互操作性。ACP 暴露了一个 REST API,因此对于调用该 API 的方法来说,它是透明的(不透明的)。它支持长任务、取消、流式消息和发现机制。但一如既往:看起来有效的方法调用,在运行时作为更长组合动作路径的一部分执行时,仍可能出错。风险边界在于:局部有效的协议调用汇聚成了一条组合路径。

This is why MCP security starts after tool approval. Approving a server, registering its tools, and checking schemas only proves that a local component has a shape the client recognizes. Runtime security starts when the system asks a set of questions: What changed? What authority is being carried forward? What content entered the model’s context? What evidence will there be after the action is taken?

这就是为什么 MCP 安全性始于工具批准之后。批准服务器、注册工具并检查模式,只能证明本地组件具有客户端可识别的形态。运行时安全始于系统提出一系列问题时:发生了什么变化?携带了什么权限?什么内容进入了模型的上下文?采取行动后会留下什么证据?

The failure moves through content, delegation, and authority. The AgentThread paper includes an example that is simple but should make security teams squint. One MCP server fetches attacker-controlled web content. Hidden instructions enter the model context. A second MCP server has file access. The agent reads local data and sends it back out through the first server. The paper describes the unsafe behavior as composition, implicit authority transfer, missing consent, and weak audit visibility across the agent runtime. No single action needs to be out of the ordinary. Get a web page. Read a local file. Send the result of that. The failure is the path.

故障会通过内容、授权和权限进行传递。《AgentThread》论文包含一个简单但足以让安全团队警惕的例子:一个 MCP 服务器获取了攻击者控制的网页内容,隐藏指令随之进入模型上下文。第二个 MCP 服务器拥有文件访问权限。智能体读取本地数据,并通过第一个服务器将其发送出去。论文将这种不安全行为描述为组合、隐式权限转移、缺乏同意以及整个智能体运行时缺乏审计可见性。其中任何单一动作看起来都很正常:获取网页、读取本地文件、发送结果。但故障就出在路径上。

The old framing of mcp security as a checklist around one server is too small. CoSAI’s Model Context Protocol Security whitepaper maps MCP to twelve threat categories and almost forty threats, including identity, access control, input and data boundaries, trust boundaries, lifecycle governance, logging, monitoring, and auditability. That taxonomy belongs in deployment design.

将 MCP 安全性仅仅视为围绕单个服务器的检查清单,这种旧观念太狭隘了。CoSAI 的《模型上下文协议安全白皮书》将 MCP 映射到十二个威胁类别和近四十种威胁,包括身份、访问控制、输入与数据边界、信任边界、生命周期治理、日志记录、监控和可审计性。这种分类法应当纳入部署设计中。

This is related to the prior post on the tool-call boundary. AI agent security happens at the tool call. But now that the tool call is a node in a larger composed route, the runtime must remember the content and the delegation that happened before calling that tool. A runtime that only checks the tool call is doing the bouncer’s work at one door, while there are tunnels in the building.

这与之前关于工具调用边界的文章有关。AI 智能体安全发生在工具调用处。但既然工具调用现在是更大组合路径中的一个节点,运行时就必须记住在调用该工具之前所发生的内容和授权。如果一个运行时只检查工具调用,那就像是在一扇门前做保镖的工作,而大楼里却到处都是地道。

SDK conformance is not runtime safety. I like standards. I want fewer custom connectors. I want agents to connect to tools, agents, and servers without six months of mapping fields between corresponding data objects. The AgentThread authors break down security failures at the protocol level to describe separate problems: unsafe behavior within a single protocol, missing SDK recommendations, missing deployment hardening, and unassigned responsibilities in cross-protocol cases.

SDK 一致性并不等于运行时安全。我喜欢标准,我希望减少自定义连接器。我希望智能体能够连接到工具、智能体和服务器,而无需花费六个月时间在对应的数据对象之间映射字段。《AgentThread》的作者在协议层面剖析了安全故障,描述了不同的问题:单一协议内的不安全行为、缺失的 SDK 建议、缺失的部署加固,以及跨协议案例中未分配的责任。

Ultimately, the authors find that agent-protocol insecurity stems from responsibility gaps across protocols, SDKs, and deployments, failures that occur when semantic content, delegated authority, and tool access cross protocol boundaries. When a set of features required for securing agent-protocol interactions is distributed across three SDKs and documented in a wiki, no one ends up owning the seam.

最终,作者发现智能体协议的不安全性源于协议、SDK 和部署之间的责任缺口,这些故障发生在语义内容、委托权限和工具访问跨越协议边界时。当保障智能体协议交互所需的一系列功能被分散在三个 SDK 中,并仅仅记录在维基文档里时,最终没有人会去负责这些衔接处。