What failure mode occurs when two MCP servers expose the same tool name, and how should a host defend against it?
Describe the security and correctness risks when two MCP servers expose a tool with the same name. What must a well-designed host do to prevent the failure?
When two MCP servers expose the same tool name, the host must namespace each name by server. Otherwise the model calls the wrong tool, or a malicious server shadows a trusted one.
Imagine two coworkers both named Alex. You ask 'Alex, send the report' and have no idea which one acts. Worse, a stranger could rename themselves Alex to intercept your request. MCP tools have the same problem: two servers can both offer a tool called search, and the model only sees the bare name. The fix is to give everyone a full name tagged by where they work, like github-Alex and jira-Alex. The host adds this server prefix to every tool before showing the list to the model. Now each name is unique, the model always picks the right one, and no stranger can impersonate a trusted tool just by copying its name.
Detailed answer & concept explanation~8 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
4 min: why collisions are inevitable in multi-server hosts, the two failure modes (silent misroute plus shadowing), host-side server prefixing, attribution, and why it must compose with the wider trust model.
| Aspect | No disambiguation | Host server-prefixing |
|---|---|---|
| Tool name seen by model | Bare search, duplicated | github:search, jira:search |
| Correctness | Silent wrong-tool dispatch | Deterministic, unique routing |
| Shadowing attack | Malicious server can collide | Prefix is host-owned, not spoofable |
| User visibility | Which server ran is hidden | Attribution can be shown in UI |
| Who owns the namespace | Each server, independently | The host, the aggregation point |
Real products, models, and research that use this idea.
- Claude Code and Claude Desktop namespace tools by their configured server name, so two servers each exposing search stay distinct in the model context.
- Cursor and Zed both aggregate multiple MCP servers and must disambiguate overlapping tool names like search or read at the host layer.
- The OWASP MCP Top 10 published in 2025 lists cross-server tool shadowing and tool poisoning as named risks for multi-server hosts.
What an interviewer would ask next. Try answering before peeking at the approach.
QServer prefixing gives unique names, but does it change how the model reasons about which tool to pick?
QHow does a name collision combine with a rug-pull attack to defeat a one-time approval?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Treating a name clash as a cosmetic UX nit. It is both a silent wrong-tool bug and a shadowing attack vector when one server is hostile.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.