Tool Poisoning

1 findingMCP02ASI02CoSAI-T4CoSAI-T6CoSAI-T9MAESTRO-L3MAESTRO-L7EU-AI-Act-Art-13AML.T0058#

Deceptive Naming

1 finding
F5

Official Namespace Squatting

CriticalMCP02-tool-poisoningAML.T0054

Server published as '@anthropic-tools/filesystem' by an unverified author not in the anthropics GitHub org

  1. 1Compare the observed server name "aws-mcp" against the vendor namespace "aws" (AWS). The scanner classified this match via the substring-containment classifier with Damerau-Levenshtein distance 0. If the server is an official AWS product, add its GitHub organisation to OFFICIAL_NAMESPACES.verified_github_orgs in the rule's data file.initialize.server_nameExpect: Server name "aws-mcp" directly contains the vendor token "aws".
  2. 2Open the server's repository at https://github.com/nelson-lamounier/aws-mcp and confirm the owning organisation is NOT one of the vendor's verified orgs. The vendor registers the following orgs as authoritative: github.com/aws/…, github.com/awslabs/…, github.com/amazon-archives/…. A match against any of these suppresses the finding.initialize.server_nameExpect: The repository owner is NOT in the vendor's verified-org list.
  3. 3Open the MCP registry page for "aws-mcp" (Smithery, PulseMCP, or modelcontextprotocol.io/registry). Cross-reference the stated publisher identity against AWS's official publications. A recently published server with low install count and no vendor affiliation is the canonical squat pattern.initialize.server_nameExpect: Registry publisher identity does not match AWS; the server is an impersonator.
sourceexternal-content
initialize.server_name
Server name "aws-mcp" matches AWS namespace "aws" via substring containment.

The MCP client surfaces the server name verbatim in its approval dialog, and the LLM ingests the server name alongside the tool descriptions. A name that implies official AWS origin hijacks the trust users and agents extend to the real vendor — the exact supply-chain vector Alex Birsan demonstrated in 2021 and Wiz Research documented in the MCP ecosystem in 2025.

propagationcross-tool-flow
capability:tools
Publisher URL "https://github.com/nelson-lamounier/aws-mcp" is NOT under any of AWS's verified GitHub organisations (aws, awslabs, amazon-archives). The server name + publisher mismatch propagates misplaced trust to every downstream tool invocation.
sinkprivilege-grant
initialize.server_name
Users approve the server on the basis of the vendor-branded name, granting it the session-scoped trust they would extend to a genuine AWS product. All subsequent tool calls execute under that elevated trust.
impactcross-agent-propagation
ai-client

User installs "aws-mcp" believing it is an official AWS MCP server. The LLM consumes the impersonator's tool descriptions, instructions, and output under the vendor's brand halo. Subsequent prompt injection, credential harvesting, or data exfiltration by the impersonator inherits the vendor's trust across every conversation that uses the tool.

trivial
Confidence90%OWASP-MCP10-Supply-ChainOWASP MCP Top 10 — MCP10 Supply Chain
3 confidence factors
  • +0.2official_namespace_signalServer name contains the vendor token "aws" verbatim and the repository is NOT under any of the vendor's verified GitHub organisations. Direct containment is the highest-confidence classifier.
  • +0.08publisher_url_mismatchPublisher URL "https://github.com/nelson-lamounier/aws-mcp" is NOT under any of AWS's verified GitHub organisations (aws, awslabs, amazon-archives). Publisher mismatch + namespace match is the canonical squat signature.
  • -0.08charter_confidence_capF5 charter caps confidence at 0.9 — namespace similarity + publisher mismatch is strong but not definitive. Vendor-approved partners may use the vendor namespace without a verified_github_org match, and the rule's curated vendor-org list can lag behind a rename. The 0.10 gap signals "strong static evidence, reviewer corroborates publisher identity".
Methodology5 tests · 4 frameworks
Technique
similarity
Tests (5)
  1. levenshtein-distance-band
  2. visual-confusable-replay
  3. substring-containment-check
  4. publisher-url-verification
  5. unicode-normalisation
Lethal edge cases (6)
  • Damerau-Levenshtein distance 1 from an official vendor name — "anthropc", "googl", "microsft" are typosquats a reviewer would read past. The rule must flag these at the highest confidence band: edit-distance-one from a high-value namespace is a dominant supply-chain signal.
  • Visual-confusable substitution — "l" → "1" ("goog1e"), "o" → "0" ("micr0soft"), "I" → "l" ("lBM") — distance-2 in byte space but visually indistinguishable in a monospaced approval dialog. The rule must apply the same visual-confusable replay as D3 to catch these without requiring a curated list of every visual variant.
  • Substring containment without an official repository link — a server named "anthropic-filesystem-mcp" contains "anthropic" verbatim. If the github_url is not under github.com/anthropics/, the server is impersonating the namespace regardless of the owner's intent (accidental squats are still squats, because the trust they hijack is real).
  • Legitimate impersonation — a third-party server that IS an officially-approved partner of the vendor (think: Anthropic Marketplace partners). The rule cannot distinguish approved partners from squatters statically; it emits the finding and documents the no_publisher_match signal so a reviewer can dismiss with organisational context.
  • Homoglyph attack — Cyrillic "а" (U+0430) inside "аnthropic" renders identically to Latin "a" (U+0061) in most terminal fonts. The rule must normalise Unicode confusables before similarity comparison (shared with D3's Unicode path) so the homoglyph variant does not silently evade the check.
  • Plural/possessive — "anthropics-mcp" (the real Anthropic GitHub org is `anthropics`) versus "anthropic-mcp" (singular, shared with the company brand). Both land inside distance-1 of the other; the rule must not flag `anthropics` as a squat of `anthropic` when the github_url confirms the legitimate org.
Confidence cap
unbounded
Frameworks (4)
  • EU AI ActArt.13Transparency & Provision of Information to Deployers
  • OWASP MCPMCP02Tool Poisoning
  • OWASP MCPMCP10Supply Chain Compromise
  • OWASP ASIASI04Agentic Supply Chain
Backing
  • Precision:
  • Recall:
  • Red-team fixtures: 4
  • CVE replays: none
  • Last validated:
Test 3 more rules — give us more context1 input gap
Live connection3 rules

To unlock these tests: register a live MCP endpoint.

  • E1No Authentication RequiredCode VulnerabilitiesServer-Hardening Failures
  • E2Insecure TransportAuthentication & IdentitySession & Transport Security
  • E3Response Time AnomalyAudit & LoggingAbsent or Unstructured Logging

Tested cleanly

  • Prompt Injection24 rules tested cleanly
  • Code Vulnerabilities23 rules tested cleanly
  • Data Exfiltration15 rules tested cleanly
  • Authentication & Identity9 rules tested cleanly
  • Supply Chain Security23 rules tested cleanly
  • Human Oversight6 rules tested cleanly
  • Audit & Logging5 rules tested cleanly
  • Multi-Agent Security1 rule tested cleanly
  • Protocol & Transport15 rules tested cleanly
  • Denial of Service7 rules tested cleanly
  • Container & Runtime10 rules tested cleanly
  • Model Manipulation8 rules tested cleanly
aws-mcp security findings — MCP Sentinel