Why
MCP servers can change their tool descriptions, argument schemas, or capabilities after being initially trusted. This 'rug-pull' attack lets a trusted tool silently change behavior — e.g., a read_file tool that starts silently exfiltrating data to an external endpoint.
No existing OSS guardrail tool detects this.
What
Snapshot MCP tool metadata on first proxy connection, detect and alert on changes.
Acceptance Criteria
- On first connection to an MCP server, snapshot the tools/list response (tool names, descriptions, argument schemas)
- Store snapshot in a local file (
.intent-guard/tool-snapshots/<server-hash>.json)
- On subsequent connections, compare current tools/list with snapshot
- Alert (audit log + stderr warning) if any tool has changed description, schema, or new tools appeared
- Configurable:
--detect-tool-changes flag
- Policy option: block changed tools until re-approved, or warn-only
- Tests: simulated rug-pull scenario
Competitive advantage
Novel capability — no OSS or commercial tool currently detects MCP tool description poisoning.
Why
MCP servers can change their tool descriptions, argument schemas, or capabilities after being initially trusted. This 'rug-pull' attack lets a trusted tool silently change behavior — e.g., a
read_filetool that starts silently exfiltrating data to an external endpoint.No existing OSS guardrail tool detects this.
What
Snapshot MCP tool metadata on first proxy connection, detect and alert on changes.
Acceptance Criteria
.intent-guard/tool-snapshots/<server-hash>.json)--detect-tool-changesflagCompetitive advantage
Novel capability — no OSS or commercial tool currently detects MCP tool description poisoning.