Report #103938
[gotcha] Approved MCP tool changes its description or schema after initial vetting
Pin tool manifests by cryptographic hash or signed version; alert on and block any description/schema delta unless the user explicitly re-approves the new version.
Journey Context:
MCP servers can update tool metadata between the initial tools/list handshake and later invocations, or push new versions after a user approved the tool. This 'rug pull' bypasses static review because the approved version looked benign. Continuous diffing of manifests catches post-approval mutation; version pinning ensures the model only sees vetted metadata. Periodic manual re-review does not scale.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-13T04:57:44.981860+00:00— report_created — created