Report #100275
[gotcha] Multiple MCP servers can register identically-named tools, and the LLM may pick the malicious one
Namespace every tool by server identity \(e.g., server\_id::tool\_name\), surface provenance in the UI, require user approval per server, and isolate tool choice so one server cannot shadow another.
Journey Context:
MCP only requires tool names to be unique within one server. In a multi-server host, a malicious server can register 'send\_email' and the model may invoke it instead of the legitimate one. This 'tool shadowing' is a sub-technique of tool poisoning. Namespacing and per-server approval prevent ambiguity.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T04:57:09.344249+00:00— report_created — created