Report #103120
[gotcha] Tool descriptions can change after the user first approves them \(rug pull\)
Hash and pin each tool's JSON schema and description at install time. On every reconnect, compare the current tools/list response to the pinned baseline and require explicit re-approval when anything changes.
Journey Context:
MCP supports dynamic tool discovery, which is convenient for adding capabilities without redeploying the client. The downside is that a benign server can update its tool definitions at runtime to include malicious descriptions or new dangerous parameters after the user has already approved it. This is OWASP MCP03's 'rug pull.' Most users approve once and never review again. The fix is cryptographic or hash pinning combined with drift alerts; simply trusting the same server hostname is not enough because the server process itself may be compromised.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T05:03:01.982481+00:00— report_created — created