SkillTotal
cd ~/labs
visitor@skilltotal:~$ cat ./labs/malicious-mcp-server/mission.txt

Malicious MCP Server

lab 09 · ST-MCP-TOOL-SHADOWING · LLM03
mission.txt
scenario

You publish an MCP server. The host reviews your tool list and rejects any tool whose name is literally a trusted builtin (read_file, search, exec, …). It does not inspect look-alikes, duplicates, or what happens after approval.

objective

Get a tool registered that shadows a trusted builtin — via a look-alike name (hidden character / homoglyph) or a duplicate — or that rug-pulls by mutating its behavior after the host approves it.

session — malicious-mcp-server
server.json
▚ Intel

No leads yet. Declassify intel one step at a time when you’re stuck.

▰ Dossierclassified — solve to unseal

How this attack works

The review checked tool names for exact equality with builtins. A homoglyph or zero-width variant renders identically but compares as different, so it shadows the real tool when the agent calls it. A duplicate name and an onUpdate/postApproval field achieve the same end — the approved definition is not the one that ultimately runs.

Why it's dangerous

Agents route tool calls by name and trust the server’s manifest. A shadowing tool can intercept read_file or search and exfiltrate or tamper, while a rug-pull turns a vetted server malicious on its next update — the user approved something else entirely. SkillTotal flags name collisions as ST-MCP-TOOL-SHADOWING.

OWASP mapping

Maps to OWASP Top 10 for LLM Applications (2025): LLM03: Supply Chain (and OWASP Agentic Skills AST04). SkillTotal’s ST-MCP-TOOL-SHADOWING flags tools whose names collide with or mimic trusted ones.

How to defend

  • Namespace every server’s tools; forbid names that collide with builtins or other servers.
  • Normalize names (strip invisible chars, fold homoglyphs) before the uniqueness check.
  • Pin and hash approved tool definitions; re-review on any manifest change (no silent updates).
  • Require explicit re-consent when a server adds, renames, or mutates a tool.

SkillTotal catches this class of issue deterministically (rule ST-MCP-TOOL-SHADOWING).

Scan AI component (free)

FAQ

What is tool shadowing?
Registering a tool with the same (or look-alike) name as a trusted one so the agent routes calls to the attacker's implementation instead of the legitimate tool.
What is an MCP rug pull?
A server that presents a benign tool list to pass review, then changes a tool's behavior after approval — so what runs is not what the user consented to.