Skip to content

[ASI02] MCP tool-name pinning / typosquat-resistant resolution — close ASI02 #7 #231

Description

@initializ-mk

Problem

If MCP tool names resolve ambiguously or by loose matching, a typosquatted or shadowing tool can intercept a call the agent intended for a legitimate tool. A related case: a server keeps the same tool name and version but silently swaps the tool's input/output contract underneath the agent.

Current state

Egress and denied_tools/max_tool_count policy strongly bound tool use (forge-core/security/platform_policy_enforce.go:194,228), and tool calls are audited (tool_exec). But MCP tool names are not version-pinned, ambiguous resolution is not proven to fail closed, and there is no check that a resolved tool's capability schema is the one the agent was built/authorized against. See docs/security/owasp-asi-conformance.md (ASI02 #7).

Proposed control

  • Fully-qualified, version-pinned MCP tool identifiers, expressed as a structured resolution record ({server, namespace, name, version, capability_schema_hash}) rather than a single URI scheme — to avoid format-parsing/versioning overhead and stay aligned with MCP's own tool-identity conventions.
  • Ambiguous resolution (more than one candidate) fails closed with an audit event rather than picking a candidate.
  • Capability-schema-hash pinning: fail closed when a resolved tool's input/output schema hash drifts from the pinned value — catches the same-name/same-version contract-swap case, not just differently-named shadow tools. (Thanks to @0xbrainkid for this addition — see discussion below.)

Acceptance criteria

  • A tool reference that resolves to more than one candidate fails closed with an instrumented event.
  • MCP tools are addressed by a fully-qualified, pinned identifier ({server, namespace, name, version, capability_schema_hash}).
  • A resolved tool whose capability-schema hash differs from the pinned value fails closed with an instrumented event (contract-swap defense).

Conformance test

  • TestASI02_AmbiguousMCPToolFailsClosed — multi-candidate resolution fails closed.
  • TestASI02_MCPToolSchemaDriftFailsClosed — same name+version, changed schema hash, fails closed.

Out of scope

  • Server/issuer identity + attestation — that is the ASI04 supply-chain lane; the pinned identifier here deliberately does NOT carry issuer/server-identity material. Cross-reference, don't merge.
  • Per-agent authority scope — authorization is ASI03 (identity & privilege abuse), not tool-name resolution. Cross-reference, don't merge.
  • MCP server trust/attestation generally; non-MCP builtins.

Guideline reference

ASI02 mitigation #7 (OWASP Agentic Top 10 2026).

Metadata

Metadata

Assignees

No one assigned

    Labels

    asi02OWASP ASI02forge-coreAffects the forge-core library (runtime, security, types, llm, mcp, auth)owasp-asiOWASP Top 10 for Agentic Applications 2026 conformancesecuritySecurity vulnerability fixes

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions