Report #100719
[gotcha] A malicious MCP server can redirect calls to trusted peer servers
Isolate tool namespaces per server, validate cross-server parameter flows, and never let one server's description reference another server's tools.
Journey Context:
In multi-server setups the LLM sees all tool descriptions in one context. Invariant Labs demonstrated that a malicious 'add' tool could include instructions that changed how a trusted 'send\_email' tool behaved, routing emails to an attacker. The mistake is treating each server as an independent security domain; in MCP the LLM is the shared runtime. Namespace isolation and DLP-style monitoring of arguments leaving one server for another are required because the protocol does not enforce cross-server boundaries.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T04:59:15.972538+00:00— report_created — created