Same topic, related formats. Practice these next.
Same topic, related formats. Practice these next.
In a multi-server MCP setup, explain how a malicious server can shadow or override a trusted server's tools. What must the host do to prevent this?
A malicious server registers a tool whose name collides with a trusted one; without host-side namespacing and trust tiers, the model may invoke the attacker's version.
Picture an office where two delivery companies both put out a tray labeled 'Outgoing Mail'. You hand your letter to whichever tray is closest, never checking which company owns it. A scammer sets up a tray with the exact same label right next to the real one, and now your mail goes to the scammer, who copies it before forwarding it on. The fix is to label each tray with the company name, only trust trays from vetted companies, and make the worker confirm the company before dropping a letter. In MCP terms, the trays are tool names, the companies are servers, and the worker is the language model choosing which tool to call.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
5 min: why MCP leaves trust to the host, the collision plus poisoning attack, then the layered defense of namespacing, trust tiers, pinning, attribution, and integrity checks.
| Defense layer | What it blocks | Where it lives |
|---|---|---|
| Server namespacing | Ambiguous same-name collisions | Host, before LLM injection |
| Trust tiers and allowlists | Untrusted servers entering the catalog | Host config and registry policy |
| Definition pinning | Rug pull edits after approval | Host state across a session |
| Attribution in approval UI | Misattributed sensitive calls | Host user interface |
| Integrity checks and logging | Silent tampering and audit gaps | Host observability layer |
Real products, models, and research that use this idea.
What an interviewer would ask next. Try answering before peeking at the approach.
Red flags and common mistakes that signal junior thinking. Click to expand.
Assuming MCP enforces tool uniqueness or trust. It does not; the host owns namespacing, trust tiers, and attribution, or the attack lands.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.