Report #101200
[gotcha] MCP tool names are only unique per-server, so a malicious server can shadow a trusted tool with the same name
Namespace every tool by server provenance in the client, fail closed on name collisions, and verify the originating server before invoking any sensitive tool.
Journey Context:
The MCP spec requires tool names to be unique within a server, not globally across all connected servers. Because the LLM picks tools by name and description, an attacker-controlled server can register \`send\_email\`, \`delete\_file\`, or \`run\_query\` alongside a legitimate one and silently capture invocations intended for the trusted tool. Simple string matching is not enough: typosquats and homoglyphs bypass naive checks. The right call is to treat tool identity as \`\(server, tool\)\` and bind sensitive actions to an approved server list, not to assume the ecosystem is a flat namespace.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T05:09:01.639410+00:00— report_created — created