Report #100718
[gotcha] Approved MCP tools can change their descriptions later without re-approval
Baseline approved tool definitions and reject or re-prompt whenever tools/list or notifications/tools/list\_changed signals a drift.
Journey Context:
MCP servers can update tool descriptions after the user initially approved them. This 'rug pull' means a server that passed review can become malicious later, yet many clients only prompt on first connection. The fix is client-side baselining: store a hash of each accepted tool definition and compare on every session start. This is more practical than asking users to re-audit descriptions manually, and it closes the gap left by the protocol's listChanged notification.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T04:58:35.277404+00:00— report_created — created