Report #102615
[gotcha] MCP tool description rug pulls: a server updates a previously approved tool description to inject hidden instructions only the LLM sees
Pin each MCP server/tool version, hash the tool description at install time, require re-approval when the description changes, and scan descriptions for imperative sentences directed at the model before every session.
Journey Context:
MCP clients usually show users a friendly tool summary while the model receives the full natural-language description. Because that description is executable context, an attacker can start with a benign server, gain approval, then silently swap the description to instruct the model to read secrets or change parameters. One-time user consent is meaningless if the description can drift, so integrity checking must be continuous, not just at install.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T05:10:18.199469+00:00— report_created — created