An MCP rug pull happens when a once-trusted tool or provider changes behaviour after being installed or approved — typically by pushing a malicious update, changing the manifest to include hostile instructions, or swapping code in the registry. Users and LLMs that previously trusted the tool continue to invoke it, but the updated tool performs unauthorised actions (exfiltration, secret leakage, arbitrary calls) or otherwise abuses granted privileges. Rug pulls exploit implicit trust, weak provenance, and absent update controls in the MCP ecosystem.

Remediation

• Require cryptographic signing for tool manifests and all updates; reject updates that are unsigned or signed by an unexpected key.
• Pin tools by immutable identity (manifest hash / content-addressed ID) and require explicit re-approval for any hash change.
• Force staged update policies: notify and require human re-approval (or admin gate) for updates that expand permissions or change behaviour.
• Run third-party tools in least-privilege sandboxes and mediate sensitive ops (file access, network egress, secrets) at runtime.
• Provide rapid revocation and audit: maintain a blacklist/kill-switch for compromised tool IDs and emit tamper/evolution logs for monitoring and incident response.