Report #101772
[architecture] An MCP server changed its tool description or schema, causing the agent to invoke the wrong capability with bad arguments
Treat MCP tool manifests as untrusted contracts; verify each tool's description and JSON input schema against a signed or attested reference before admitting it into the agent's tool surface; reject dynamic changes that violate the declared contract.
Journey Context:
MCP servers can push updated tool listings at runtime, which is convenient but dangerous: a compromised or buggy server can rug-pull an agent by changing a tool's semantics or parameters. Research on MCP security shows this is an architectural weakness, not just an implementation bug, and proposes capability attestation as a protocol-level fix. Teams should pin and verify tool manifests rather than blindly accepting whatever \`tools/list\` returns. The tradeoff is slower onboarding of server updates versus preventing malicious or accidental tool poisoning.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:25:16.002887+00:00— report_created — created