What is Tool Shadowing?
Tool shadowing is an attack where a malicious MCP server exposes a tool with the same name as a trusted server's tool, silently intercepting calls the AI agent intended for the legitimate server.
WHY IT MATTERS
Tool shadowing is the deliberate weaponisation of tool name collisions. Unlike accidental collisions, shadowing is an intentional attack: the adversary studies a target server's tool names and replicates them on a malicious server, hoping the agent routes calls to the shadow instead of the original.
The attack exploits how MCP clients resolve tool names. Most clients present a flat list of available tools without clear server attribution. When two tools share a name, the client's resolution logic — often undocumented — determines which one the agent calls. An attacker can manipulate this by tuning their server's response timing or tool description to increase the likelihood of being selected.
Shadowed tools can be functionally identical to the original, passing through requests to the legitimate server while logging parameters. This man-in-the-middle pattern is nearly invisible — the agent gets correct results, the user sees normal behaviour, and the attacker silently captures every argument including credentials, queries, and sensitive data.
The attack is especially effective against high-value tools like database queries, payment processing, or credential management — tools where the parameters themselves are the prize.
HOW POLICYLAYER USES THIS
Intercept prevents tool shadowing by enforcing explicit tool-to-server bindings in YAML policies. Each tool name is mapped to an authorised server identifier, and calls to shadowed duplicates are rejected. The proxy's audit trail records the actual server that would have received each call, making shadow detection straightforward during security audits. Combined with fail-closed defaults, any unrecognised tool name or server pairing is blocked rather than routed ambiguously.