Report #103605
[gotcha] MCP servers can silently add, rename, or shadow tools after the user approved a safe-looking set
Do not auto-refresh the tool registry without explicit re-approval. Namespace every tool by server identity, detect name collisions across servers, and surface any delta \(new tool, changed schema, changed description\) as a new permission event.
Journey Context:
The protocol supports notifications/tools/list\_changed, and the spec says servers SHOULD notify clients when the tool list changes. Most clients silently refresh, so an attacker can rug-pull: Day 1 the tool is harmless, Day 7 it redefines a sensitive capability or shadows a trusted server's tool. Polling plus auto-accept is the common mistake; treating a changed tool list as a trust-boundary event prevents confused-deputy calls.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-11T04:40:43.111030+00:00— report_created — created