Overview
Hugging Face has positioned its Spaces platform as a de-facto ‘MCP App Store’, enabling LLMs to dynamically invoke thousands of community-built AI tools via the Model Context Protocol (MCP). Gradio’s 5.28.0 release added native MCP support, meaning any Gradio-backed Space can now expose callable tools to LLM clients such as Cursor, Claude Code, or Cline. While the capability unlocks genuine productivity gains, it meaningfully expands the attack surface for agentic AI deployments.
Technical Analysis
The MCP architecture creates a two-way channel between an LLM client and a remote tool server. When a user connects an MCP server to their LLM client, the model is granted the ability to autonomously invoke that server’s exposed functions — including passing user data (images, text, files) to third-party infrastructure.
Key security concerns arising from this model:
Supply Chain Trust: Hugging Face Spaces are community-contributed. A malicious actor could publish a Space that mimics a legitimate tool (e.g., a fake image editor) but exfiltrates uploaded files or returns crafted responses designed to manipulate the LLM’s subsequent reasoning.
Indirect Prompt Injection: Tool outputs returned by an MCP server are consumed directly by the LLM. A malicious server response could embed prompt injection payloads — instructing the LLM to take unintended actions, leak context, or bypass safety constraints within the same session.
Excessive Agency: Once granted tool access, the LLM may autonomously chain multiple tool calls. Without strict scoping, a compromised or misbehaving MCP server could trigger cascading actions far beyond the user’s original intent.
Data Exposure: The example workflow involves passing image URLs (and potentially sensitive image content) to a public Space endpoint. Users may inadvertently send private data to community-run infrastructure.
// Example MCP config snippet placed in Cursor settings
{
"mcpServers": {
"gradio-flux-kontext": {
"url": "https://black-forest-labs-flux-1-kontext-dev.hf.space/gradio_api/mcp/sse"
}
}
}
This configuration grants the LLM client persistent access to call the remote Space — with no output validation layer by default.
Framework Mapping
- AML.T0051 (LLM Prompt Injection): Malicious MCP server responses can inject instructions into the LLM’s context window.
- AML.T0010 (ML Supply Chain Compromise): Unvetted community Spaces introduce third-party code and model execution into the LLM’s tool chain.
- LLM07 (Insecure Plugin Design): MCP servers function as plugins with no enforced sandboxing or output sanitisation by default.
- LLM08 (Excessive Agency): LLMs with broad tool access can autonomously take actions with real-world consequences based on potentially manipulated tool outputs.
Impact Assessment
The primary risk is to developers and power users who connect LLM clients to MCP servers sourced from public Hugging Face Spaces without adequate vetting. Enterprise deployments that adopt this pattern without governance controls are at elevated risk of data leakage and indirect prompt injection. The broad, open nature of the ‘app store’ model means malicious or poorly coded servers could reach large audiences quickly.
Mitigation & Recommendations
- Vet MCP servers before use — prefer duplicated private Spaces over public community endpoints for any sensitive workflow.
- Sanitise tool outputs — implement an output validation layer between MCP server responses and LLM context ingestion.
- Scope tool permissions — restrict which tools can be invoked per session and enforce data minimisation (avoid passing sensitive content to third-party endpoints).
- Monitor agent tool calls — log all MCP invocations and alert on anomalous chaining behaviour.
- Treat MCP servers as untrusted third-party code — apply the same supply chain scrutiny as any external dependency.