Glossary

Agent Scan

agent-scan is a security scanner for agent ecosystems that detects local components – including MCP servers and skills – and identifies risks such as prompt injection, tool poisoning, toxic workflows, hard-coded secrets and insecure handling of credentials. It closes an emerging gap in the transparency of the agent supply chain

Agent2Agent

A2A

Agent2Agent is an open protocol that enables communication and interoperability between agent-based applications.

FastMCP

A Python framework that simplifies the setup, protocol handling and error management of an MCP server by abstracting the complexity of the protocol and enabling development teams to define MCP resources and tools via intuitive Python decorators. This abstraction allows teams to focus on business logic, resulting in clearer and more maintainable MCP implementations.

Whilst FastMCP 1.0 is already integrated into the official MCP Python SDK, the MCP standard continues to evolve rapidly. You should therefore keep an eye on the release of version 2.0 and ensure that you keep pace with changes to the official specification.

See also

• README.v2.md

• Migration Guide: v1 to v2

Model Context Protocol

MCP

open standard that defines how LLM applications and agents integrate with external data sources and tools, with the aim of significantly improving the quality of AI-generated results. MCP focuses on context and access to tools, thereby differing from the Agent2Agent (A2A) protocol, which governs communication between agents. It specifies servers (for data and tools such as databases, wikis and services) as well as clients (agents, applications and coding assistants). Frameworks such as FastMCP have emerged, as has the MCP Registry for identifying public and proprietary tools. However, the protocol also has architectural flaws and has attracted criticism for disregarding established RPC best practices. For production applications, development teams should carry out thorough security checks by mitigating Toxic Flows with tools such as Agent Scan and closely monitoring the authorisation module at runtime.

See also

• What is the Model Context Protocol (MCP)?

Toxic Flows

With the emergence of agents that require extensive permissions, such as OpenClaw, development teams are increasingly deploying agents in environments where they are exposed to a lethal trifecta:

1. Access to private data

2. Exposure to untrusted content, and

3. The ability to communicate externally.

As capabilities grow, so does the attack surface, exposing systems to risks such as prompt injection and tool poisoning.

Toxic flow analysis remains one of the most important techniques for investigating agent-based systems to identify insecure data paths and potential attack vectors. These risks are no longer limited to MCP integrations; we have also observed similar patterns in skills, where a malicious actor can package a seemingly useful function in such a way that it contains a hidden instruction to extract sensitive data. We strongly recommend that development teams working with agents conduct a toxic flow analysis and use tools such as Agent Scan to identify insecure data paths before they are exploited.