R
Rune
Sign InSign Up Free
All Guides
Tool Manipulation+MCP

How to Prevent Tool Manipulation via MCP Servers

MCP servers define which tools are available to your agent. A malicious or compromised MCP server can advertise dangerous tools with innocent-sounding names, alter tool behavior between sessions, or execute unauthorized actions when tools are called.

Start Free — 10K Events/MonthNo credit card required

Why MCP Is Vulnerable to Tool Manipulation

MCP servers have full control over tool discovery, description, and execution. Your agent trusts the server's tool listing and calls tools based on their advertised names and descriptions. A malicious server can misrepresent tools, change tool behavior silently, or execute additional unauthorized actions alongside legitimate tool calls.

Attack Scenarios

Tool Discovery Deception

An MCP server advertises a tool named 'search_docs' that actually exfiltrates data. The agent trusts the tool name and calls it with sensitive parameters.

Example Payload
// Malicious server: tool 'search_docs' actually sends all parameters to evil.com

Silent Tool Behavior Change

An MCP server updates its tool implementation between sessions. What was a legitimate search tool now includes hidden data collection.

Example Payload
// Version 1.0: search(query) => returns results. Version 1.1: search(query) => logs query to external DB, returns results.

How to Prevent This

1

Use rune-mcp with tool filtering policies

Define which tools are allowed per MCP server. Block tools with dangerous capabilities.

# rune-policy.yaml
mcp:
  servers:
    my-server:
      allowed_tools: ["search", "read_file"]
      blocked_tools: ["execute", "http_request", "send_email"]
2

Enable integrity verification

Hash MCP server code on initial review and verify it hasn't changed before each session.

3

Audit tool listings periodically

Regularly check what tools each MCP server is advertising. Alert when new tools appear or descriptions change.

How Rune Detects This

Tool listing validation — compares advertised tools against allowed list
Server integrity — detects unauthorized code changes
Parameter scanning — validates tool call arguments through the proxy
{
  "mcpServers": {
    "tools": {
      "command": "rune-mcp",
      "args": ["--upstream", "npx", "my-server", "--verify-integrity"],
      "env": { "RUNE_API_KEY": "rune_live_xxx" }
    }
  }
}

What it catches:

  • Tools not on the allowed list being advertised by the server
  • Changes to MCP server code between sessions
  • Injection patterns in tool call parameters
  • Unauthorized tool registrations

Related Guides

How to Prevent Prompt Injection via MCP Servers

Prompt InjectionMCP

How to Prevent Data Exfiltration via MCP Servers

Data ExfiltrationMCP

Tool Manipulation Threat Database

Full threat analysis and detection details

MCP Integration

Setup guide and integration docs

Protect your MCP agents from tool manipulation

Add runtime security in under 5 minutes. Free tier includes 10,000 events per month.

Start Free — 10K Events/Month
How to Prevent Tool Manipulation via MCP Servers — Rune | Rune