Malicious MCP Server
You publish an MCP server. The host reviews your tool list and rejects any tool whose name is literally a trusted builtin (read_file, search, exec, …). It does not inspect look-alikes, duplicates, or what happens after approval.
Get a tool registered that shadows a trusted builtin — via a look-alike name (hidden character / homoglyph) or a duplicate — or that rug-pulls by mutating its behavior after the host approves it.
No leads yet. Declassify intel one step at a time when you’re stuck.
How this attack works
The review checked tool names for exact equality with builtins. A homoglyph or zero-width variant renders identically but compares as different, so it shadows the real tool when the agent calls it. A duplicate name and an onUpdate/postApproval field achieve the same end — the approved definition is not the one that ultimately runs.
Why it's dangerous
Agents route tool calls by name and trust the server’s manifest. A shadowing tool can intercept read_file or search and exfiltrate or tamper, while a rug-pull turns a vetted server malicious on its next update — the user approved something else entirely. SkillTotal flags name collisions as ST-MCP-TOOL-SHADOWING.
OWASP mapping
Maps to OWASP Top 10 for LLM Applications (2025): LLM03: Supply Chain (and OWASP Agentic Skills AST04). SkillTotal’s ST-MCP-TOOL-SHADOWING flags tools whose names collide with or mimic trusted ones.
How to defend
- Namespace every server’s tools; forbid names that collide with builtins or other servers.
- Normalize names (strip invisible chars, fold homoglyphs) before the uniqueness check.
- Pin and hash approved tool definitions; re-review on any manifest change (no silent updates).
- Require explicit re-consent when a server adds, renames, or mutates a tool.
SkillTotal catches this class of issue deterministically (rule ST-MCP-TOOL-SHADOWING).
FAQ
- What is tool shadowing?
- Registering a tool with the same (or look-alike) name as a trusted one so the agent routes calls to the attacker's implementation instead of the legitimate tool.
- What is an MCP rug pull?
- A server that presents a benign tool list to pass review, then changes a tool's behavior after approval — so what runs is not what the user consented to.