🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

MCP Tool Shadowing

Tool shadowing occurs when a malicious MCP tool impersonates a legitimate one by exploiting name or namespace collisions, registry weaknesses, or silent updates. The client believes it is calling the intended trusted tool, but instead invokes a malicious tool that executes unauthorised actions, exfiltrates data, or abuses elevated privileges.

Remediation

  • Require cryptographic signing of tool manifests and binaries; verify signatures against trusted publishers.
  • Resolve and pin tools by immutable identifiers (manifest hash, canonical module ID), not just human-readable names.
  • Use registry allowlists with enforced namespace ownership and alert on ownership changes.
  • Prompt users with full provenance and permission scopes at install/update; require re-approval for manifest changes.
  • Sandbox all third-party tools with restricted permissions to limit blast radius.

Metadata

  • Severity: high
  • Slug: mcp-tool-shadowing

CWEs

  • 284: Improper Access Control
  • 829: Inclusion of Functionality from Untrusted Control Sphere

OWASP

  • LLM01:2025: Prompt Injection
  • LLM03:2025: Supply Chain

Available Labs

Open Artificial Intelligence labs in SecDim Play for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.