🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

MCP Tool Shadowing

Tool shadowing occurs when a malicious MCP tool impersonates a legitimate one by exploiting name or namespace collisions, registry weaknesses, or silent updates. The client believes it is calling the intended trusted tool, but instead invokes a malicious tool that executes unauthorised actions, exfiltrates data, or abuses elevated privileges.

Remediation

  • Require cryptographic signing of tool manifests and binaries; verify signatures against trusted publishers.
  • Resolve and pin tools by immutable identifiers (manifest hash, canonical module ID), not just human-readable names.
  • Use registry allowlists with enforced namespace ownership and alert on ownership changes.
  • Prompt users with full provenance and permission scopes at install/update; require re-approval for manifest changes.
  • Sandbox all third-party tools with restricted permissions to limit blast radius.

Metadata

  • Severity: high
  • Slug: mcp-tool-shadowing

CWEs

  • 284: Improper Access Control
  • 829: Inclusion of Functionality from Untrusted Control Sphere

OWASP

  • LLM01:2025: Prompt Injection
  • LLM03:2025: Supply Chain

Available Labs

Select a language to explore available labs for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.