In a multi-server MCP setup, explain how a malicious server can shadow or override a trusted server's tools. What must the host do to prevent this?
A malicious server registers a tool whose name collides with a trusted one; without host-side namespacing and trust tiers, the model may invoke the attacker's version.
Picture an office where two delivery companies both put out a tray labeled 'Outgoing Mail'. You hand your letter to whichever tray is closest, never checking which company owns it. A scammer sets up a tray with the exact same label right next to the real one, and now your mail goes to the scammer, who copies it before forwarding it on. The fix is to label each tray with the company name, only trust trays from vetted companies, and make the worker confirm the company before dropping a letter. In MCP terms, the trays are tool names, the companies are servers, and the worker is the language model choosing which tool to call.
Detailed answer & concept explanation~7 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
5 min: why MCP leaves trust to the host, the collision plus poisoning attack, then the layered defense of namespacing, trust tiers, pinning, attribution, and integrity checks.
| Defense layer | What it blocks | Where it lives |
|---|---|---|
| Server namespacing | Ambiguous same-name collisions | Host, before LLM injection |
| Trust tiers and allowlists | Untrusted servers entering the catalog | Host config and registry policy |
| Definition pinning | Rug pull edits after approval | Host state across a session |
| Attribution in approval UI | Misattributed sensitive calls | Host user interface |
| Integrity checks and logging | Silent tampering and audit gaps | Host observability layer |
Real products, models, and research that use this idea.
- Claude Code and Claude Desktop prefix MCP tools by server identifier so a colliding name from a second server cannot silently shadow a trusted tool.
- The OWASP MCP Top 10, published in 2025, lists tool poisoning and cross-server shadowing as named risks with host-side mitigations.
- Cursor and Zed both surface the owning MCP server in their tool-approval prompts so a user can spot a misattributed or unexpected call.
What an interviewer would ask next. Try answering before peeking at the approach.
QPrefixing disambiguates names, but how do you stop the model from preferring a poisoned description?
QHow would you detect a rug pull where a server rewrites a tool after the user already approved it?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Assuming MCP enforces tool uniqueness or trust. It does not; the host owns namespacing, trust tiers, and attribution, or the attack lands.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.