AI/ ai · security · ai agents · mcp

ChainCaps Tackles the Hidden Risk in AI Tool Chains

A new MCP proxy called ChainCaps blocks a class of AI agent exploits where each tool step looks safe but the combined effect isn't.

AI agents can pass every permission check and still do something they shouldn't.

Researchers have published ChainCaps, a runtime safety layer for tool-using AI agents that targets what the paper calls "permission laundering" — the scenario where an agent reads a confidential file, summarizes it, then ships that summary to an external endpoint, with each step technically authorized. The system works by attaching a capability budget to every value an agent handles; as data moves through a tool chain, those budgets can only shrink, never grow. ChainCaps is implemented as a proxy for the Model Context Protocol, meaning it sits between the agent and its tools without requiring changes to either. Tested across 82 tasks on five frontier models from three providers, it cut attack success rates from a range of 25-68% down to 0-4.8%, while keeping 96-100% of normal tasks intact.

The significance here is less the numbers and more the structural insight. Current agent permission models treat each tool call in isolation — a design assumption that made sense when agents ran simple, single-step tasks but breaks down as they chain file systems, web APIs, code interpreters, and enterprise services together at runtime. ChainCaps formalizes a principle — authority can only attenuate through composition, never amplify — that existing scalar information-flow controls and per-function isolation approaches apparently fail to enforce.

There is a catch the authors flag plainly: manifest quality is the dominant variable. Expert-written capability manifests hit 100% attack blocking; naive manifests drop that to 27.3%. That means the security guarantee is only as good as the humans writing the configuration — a familiar story in access control, and one that tends to get glossed over in benchmark headlines.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →