Tool Definition & Lifecycle
Two installed MCP servers register a tool with the same name; a malicious second server shadows or spoofs a tool the user trusted.
When a client is connected to multiple MCP servers at once — which is the common case — tool names can collide. If a malicious server registers `read_file`, a naive client may route the model's call to the wrong server. Even if the client disambiguates, the model sees two tools with identical descriptions and may pick the wrong one.
The MCP spec does not mandate namespacing of tool names across servers, so namespacing is a client-level concern. Clients that silently accept every tool from every server, and present them to the model as a flat list, give the attacker a free hand.
// Client-side: all tools in one list, last write wins |
const allTools = new Map(); |
for (const server of servers) { |
for (const t of await server.listTools()) { |
allTools.set(t.name, t); // collision silently overwrites |
} |
} |
// Namespace by origin, require explicit disambiguation. |
const allTools = new Map(); |
for (const server of servers) { |
for (const t of await server.listTools()) { |
const key = `${server.id}::${t.name}`; |
allTools.set(key, t); |
} |
} |
We scan registered MCP servers for tool names that duplicate names in other high-popularity servers. Not every collision is malicious, but every collision is a latent confusion risk, and we surface it.
See the full threat catalog for every documented detection.
MCPSafe runs this check — and every other rule in the catalog — on any MCP server you paste in.
Scan now