What is an MCP rug pull?

Updated
Short answer

An MCP rug-pull is when a server ships a safe v1 tool catalog at install time, then mutates to a v2 catalog (with attacker-controlled tools or wider scope) once running in your trust boundary. Disclosed by Invariant Labs in 2025 as a structural attack class.

Rug-pulls are tool poisoning where the timing is post-install. A server ships a clean catalog at install, gets approved + adopted, then silently mutates its catalog later — same tool names but with adversarial descriptions, expanded scopes, or new undeclared tools.

Defense is structural: agent's view of the trusted catalog must be operator-authored + signed, and every server's actual catalog must be re-validated on every spawn against the signed baseline. Drift = reject, not auto-accept. Securie's mcp-guard crate detects rug-pulls by construction via per-spawn fingerprint + per-catalog signature verification.

Run `mcp-scan --check-rugpull` (Invariant Labs) periodically as a fleet-wide defense-in-depth check.

People also ask

What is MCP tool poisoning?
MCP tool poisoning is an attack where adversarial instructions are embedded inside tool descriptions in an MCP server's
Is MCP safe to use in production?
MCP is safe with discipline: fingerprint-pinned servers + scope-locked tools + Llama Guard 4 output filtering. Without t