![[2602.15945] From Tool Orchestration to Code Execution: A Study of MCP Design Choices](https://arxiv.org/static/browse/0.3.4/images/arxiv-logo-fb.png){kind=logo}
[2602.15945] From Tool Orchestration to Code Execution: A Study of MCP Design Choices
Summary
This paper explores the design choices of Model Context Protocols (MCPs) and introduces Code Execution MCP (CE-MCP) as a solution to scalability issues, while addressing security vulnerabilities associated with this approach.
Why It Matters
As agent systems grow in complexity, understanding the trade-offs between scalability and security becomes crucial. This study provides insights into how CE-MCP can enhance performance while highlighting potential security risks, making it relevant for developers and researchers in AI and cybersecurity.
Key Takeaways
- CE-MCP improves scalability by consolidating workflows into a single execution program.
- The transition to CE-MCP introduces significant security vulnerabilities that need to be addressed.
- The MAESTRO framework identifies multiple attack classes that can exploit CE-MCP systems.
- Empirical evaluations demonstrate reduced execution latency with CE-MCP despite increased attack surfaces.
- A layered defense architecture is proposed to mitigate identified security threats.
Computer Science > Cryptography and Security arXiv:2602.15945 (cs) [Submitted on 17 Feb 2026] Title:From Tool Orchestration to Code Execution: A Study of MCP Design Choices Authors:Yuval Felendler, Parth A. Gandhi, Idan Habler, Yuval Elovici, Asaf Shabtai View a PDF of the paper titled From Tool Orchestration to Code Execution: A Study of MCP Design Choices, by Yuval Felendler and 4 other authors View PDF HTML (experimental) Abstract:Model Context Protocols (MCPs) provide a unified platform for agent systems to discover, select, and orchestrate tools across heterogeneous execution environments. As MCP-based systems scale to incorporate larger tool catalogs and multiple concurrently connected MCP servers, traditional tool-by-tool invocation increases coordination overhead, fragments state management, and limits support for wide-context operations. To address these scalability challenges, recent MCP designs have incorporated code execution as a first-class capability, an approach called Code Execution MCP (CE-MCP). This enables agents to consolidate complex workflows, such as SQL querying, file analysis, and multi-step data transformations, into a single program that executes within an isolated runtime environment. In this work, we formalize the architectural distinction between context-coupled (traditional) and context-decoupled (CE-MCP) models, analyzing their fundamental scalability trade-offs. Using the MCP-Bench framework across 10 representative servers, we empirically...