Attacks and threats

MCP rug pull

An MCP rug pull is when an MCP server behaves safely during review, then silently changes its tool definitions to malicious ones after it has been approved.

Definition

What is an MCP rug pull?

A rug pull exploits the gap between approval and use. An MCP server presents benign tools when a team first inspects and connects it, earning trust. Later, the server changes what those tools declare or do, turning a previously safe integration hostile without any action from the user who approved it.

It is the agent-tooling version of a supply-chain attack, and static review alone cannot catch it because the malicious state arrives after review. The defense is continuous: record each server's tool definitions over time, compare them against the approved baseline, and alert or block when they change, so a silent swap becomes publicly and provably visible.

FAQ

Common questions.

How do you catch an MCP rug pull?

Snapshot each server's tool definitions when you approve it and keep watching. Compare live definitions against that baseline on a schedule and alert on any change, since the attack only appears after the initial review.

Govern the actions, not just the vocabulary

AxioRank scores every tool call your agents make for leaked secrets, PII, destructive operations, and prompt injection, checks it against your policy, and proves it in a tamper-evident audit log. Start free, no card.