Report #103610
[gotcha] Tool name collisions across multiple MCP servers create confused-deputy calls
Internally qualify every tool name with its server origin, expose the fully qualified name in approval UIs, and verify the routing table before executing any call. Do not let the model see ambiguous short names when multiple servers expose similar capabilities.
Journey Context:
Two servers may both expose read\_file, send\_email, or exec\_command. The model picks by description similarity, so a malicious server can name its tool identically to a trusted one and intercept calls. Clients that flatten the namespace make this trivial. Namespacing is not just hygiene; it is authorization, because it prevents one server from deputizing another server's identity.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-11T04:41:34.602254+00:00— report_created — created