How do MCP tool poisoning, cross-server shadowing, and rug pulls differ?
Tool poisoning embeds malicious influence in a tool description or result. Cross-server shadowing lets one low-trust server steer use of another server's capability. A rug pull changes a previously reviewed schema, description, implementation, dependency, or destination later. Defend with isolated trust contexts, capability snapshots, change review, sandboxing and runtime authorization.
How to think about it
The attacks differ by source and time. Poisoning places instructions in metadata or output. Shadowing crosses server trust boundaries. A rug pull changes the capability after approval.
Pin server identity and a security-relevant capability snapshot, diff dynamic tool lists, separate low- and high-trust servers, authorize exact arguments, sandbox execution and treat returned text as untrusted data.