English

Overthinking Loops in Agents: A Structural Risk via MCP Tools

Computation and Language 2026-02-17 v1 Cryptography and Security

Abstract

Tool-using LLM agents increasingly coordinate real workloads by selecting and chaining third-party tools based on text-visible metadata such as tool names, descriptions, and return messages. We show that this convenience creates a supply-chain attack surface: a malicious MCP tool server can be co-registered alongside normal tools and induce overthinking loops, where individually trivial or plausible tool calls compose into cyclic trajectories that inflate end-to-end tokens and latency without any single step looking abnormal. We formalize this as a structural overthinking attack, distinguishable from token-level verbosity, and implement 14 malicious tools across three servers that trigger repetition, forced refinement, and distraction. Across heterogeneous registries and multiple tool-capable models, the attack causes severe resource amplification (up to 142.4×142.4\times tokens) and can degrade task outcomes. Finally, we find that decoding-time concision controls do not reliably prevent loop induction, suggesting defenses should reason about tool-call structure rather than tokens alone.

Keywords

Cite

@article{arxiv.2602.14798,
  title  = {Overthinking Loops in Agents: A Structural Risk via MCP Tools},
  author = {Yohan Lee and Jisoo Jang and Seoyeon Choi and Sangyeop Kim and Seungtaek Choi},
  journal= {arXiv preprint arXiv:2602.14798},
  year   = {2026}
}
R2 v1 2026-07-01T10:38:35.627Z