Description-Code Inconsistency in Real-world MCP Servers: Measurement, Detection, and Security Implications

Researchers have identified widespread Description-Code Inconsistency (DCI) in Model Context Protocol servers, where tool descriptions don't match actual implementations. A study of 2,214 MCP servers found that 9.93% of description-code pairs exhibit inconsistencies, creating security vulnerabilities that enable operational failures and malicious behavior in LLM-powered applications.

The Model Context Protocol represents a critical infrastructure layer for LLM integration with external tools, yet researchers have discovered a fundamental trust gap in how these systems operate. When LLMs receive descriptions of tool capabilities that don't align with actual code behavior, the mismatch creates exploitable vulnerabilities. The comprehensive analysis of 19,200 description-code pairs reveals a systemic problem affecting nearly 10% of production MCP servers, suggesting this issue extends beyond isolated incidents to a structural weakness in the ecosystem.

This research addresses a growing challenge as enterprises deploy AI agents with increasing autonomy. The inconsistency taxonomy spans both functionality gaps and undeclared side effects, meaning tools may perform unintended operations that LLMs cannot anticipate or prevent. The DCIChecker framework combines static code analysis with specialized LLM prompting techniques to detect these mismatches automatically, providing a practical detection mechanism for the broader community.

The security implications are substantial. Organizations deploying MCP servers face risks ranging from operational disruptions when tools behave unexpectedly to deliberate exploitation by malicious actors who intentionally obscure dangerous capabilities. For developers, this highlights the need for stricter semantic verification during tool integration. For enterprises using AI agents, the findings suggest current safeguards may be insufficient and that runtime validation of tool behavior deserves increased attention.

The research points toward a maturing understanding of LLM security requirements. As agentic systems become more autonomous, the gap between declared and actual behavior becomes increasingly costly. The proposed mitigation strategies emphasize enforcing semantic consistency, which will likely become a baseline requirement for production MCP deployments.

• →9.93% of description-code pairs in real-world MCP servers exhibit inconsistencies between declared capabilities and actual implementations
• →Description-Code Inconsistency creates security blind spots enabling operational failures and stealthy malicious behaviors in AI agent systems
• →The DCIChecker framework automates detection of DCI using static analysis and Direct-Reverse-Arbitration prompting on large-scale server datasets
• →Inconsistencies span both functional gaps and undeclared side effects that LLMs cannot detect or prevent during tool execution
• →Semantic consistency enforcement and enhanced verification mechanisms are essential for reliable agentic AI ecosystem development