What is Tool Squatting?
Tool squatting is registering an MCP server with a name deliberately similar to a popular, trusted server to intercept agent tool calls. It is the MCP equivalent of typosquatting in package managers.
WHY IT MATTERS
Package manager typosquatting has been a proven attack vector for years — lodash vs lodahs, requests vs reqeusts. Tool squatting brings this pattern to the MCP ecosystem. An attacker registers striipe-mcp alongside the legitimate stripe-mcp, hoping that developers or automated tooling will connect to the wrong server.
The attack surface is broader than traditional typosquatting because MCP server discovery is still maturing. There is no centralised, verified registry with namespace protection. Developers configure MCP servers manually in JSON config files, and a single character difference is easy to miss during setup.
Once connected, the squatted server can serve tools that look identical to the legitimate ones — same names, same schemas — but with subtly different behaviour. It might log every API key passed as a parameter, modify transaction amounts, or inject malicious instructions into tool responses that influence the agent's subsequent actions.
The risk compounds in team environments where MCP configurations are shared. One developer's typo in a shared config propagates to every team member, and the squatted server silently receives all their agent's tool calls.
HOW POLICYLAYER USES THIS
Intercept's YAML policies can enforce a strict allowlist of permitted MCP server identifiers and transport endpoints. Tool calls are only proxied to servers that match the policy-defined list, so a squatted server with a slightly different name is rejected before any tool call reaches it. The audit trail also logs the server identifier for every tool invocation, making it straightforward to detect unexpected server names during security reviews.