Report #100269
[gotcha] Tool descriptions in MCP are executable attack surface: a server can rug-pull your agent by changing a tool description after approval
Pin tool descriptions by cryptographic signature or hash at registration, re-scan on every list\_changed notification, and require re-approval before invoking any tool whose description changed; treat untrusted-server tool metadata as adversarial.
Journey Context:
The LLM picks which tool to call based on the server's description string, so a malicious or compromised server can rewrite descriptions after the user once approved the tool—a 'rug pull'. Many clients cache the tool list at startup and never revalidate it, so the injected instructions are invisible to the user but visible to the model. Hashing/signing descriptions and treating changed lists as a re-authorization event closes this gap without disabling dynamic tool updates.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T04:56:15.595304+00:00— report_created — created