Report #103937
[gotcha] Malicious MCP server registers a tool whose name collides with a legitimate tool
Enforce per-server tool namespaces and require explicit, user-reviewed mapping for any name collision; never let the LLM disambiguate shadow tools by description alone.
Journey Context:
Multi-server MCP hosts flatten tool lists into a single registry. A malicious server can register a tool with the same name as a trusted one, causing the host to silently route calls to the attacker. Trying to solve this in the prompt \('prefer the official tool'\) is unreliable because LLM reasoning degrades under context pressure. Namespace isolation is deterministic: each server gets a prefix, and collisions must be resolved by the operator, not the model.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-13T04:57:39.781572+00:00— report_created — created