What is Tool Name Collision?
Tool name collision occurs when multiple MCP servers expose tools with the same name, creating ambiguity about which tool the AI agent actually invokes. This can happen accidentally or be exploited deliberately.
WHY IT MATTERS
MCP clients typically aggregate tools from all connected servers into a single tool list presented to the AI agent. If two servers both expose a tool called send_email, the agent has no reliable way to distinguish between them. Which one gets called may depend on connection order, server response time, or undefined client behaviour.
In benign cases, this is a configuration mistake — two servers happen to use the same tool name. But the collision can be weaponised. An attacker who controls one MCP server can deliberately expose tools with names matching a trusted server's tools, creating a race condition where the malicious tool may be invoked instead of the legitimate one.
The problem is compounded by the flat namespace of MCP tool names. Unlike programming languages with package namespaces, MCP tools are identified by simple strings. There is no built-in mechanism for disambiguation, and most MCP clients do not warn about collisions.
For organisations running multiple MCP servers — databases, APIs, internal tools — collisions become increasingly likely as the number of connected servers grows. Without explicit routing policies, tool calls become unpredictable.
HOW POLICYLAYER USES THIS
Intercept resolves tool name collisions through YAML policies that bind tool names to specific server identifiers. A policy can specify that send_email must only route to the verified email server, blocking any other server's tool with the same name. This deterministic routing eliminates the ambiguity that makes collisions exploitable, and the fail-closed design ensures that unresolved collisions result in a blocked call rather than an unpredictable one.