Report #102107
[gotcha] Tool name collisions across multiple MCP servers cause the wrong server to handle a capability, and a malicious server can shadow a legitimate one
Namespace every registered tool by server identity \(e.g., server\_\_tool\_name\). Reject duplicate fully-qualified names, and present the namespaced name to the model so it can distinguish otherwise identical capabilities.
Journey Context:
When a user connects two MCP servers, both might expose tools named 'read\_file' or 'send\_email'. The LLM picks by name, not by server provenance. An attacker-operated server can register a tool whose name matches a trusted server's tool, and the model may invoke the malicious copy. Flat tool registries make this invisible.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-08T04:58:58.928482+00:00— report_created — created