AI DevelopmentNew Release13 min readPublished July 11, 2026

MCP tool fingerprinting lands in the AI SDK · detection, not prevention · one layer, not the whole stack

Vercel AI SDK Tool Drift Defenses: Stop MCP Rug Pulls

Vercel published ai@7.0.19 on July 9, 2026 with two new utilities — fingerprintTools and detectToolDrift — aimed squarely at the MCP “rug pull”: a tool that turns malicious after you approve it. It detects drift; it does not block anything, and it cannot catch a server that was hostile from day one. Here is what it covers, what it misses, and where it fits.

DA
Digital Applied Team
Senior strategists · Published Jul 11, 2026
PublishedJuly 11, 2026
Read time13 min
Sources9
Fields pinned per tool
3
description · input schema · title
Shipped in ai@7.0.19
Jul 9
14 days after AI SDK 7 GA
Attack class to native defense
~15mo
Invariant Labs PoC · Apr 1, 2025
MCP servers tracked
10k+
registry aggregate · Apr 2026
+47% in 4 months

Vercel AI SDK tool drift detection is now a first-party feature: ai@7.0.19, published July 9, 2026, ships fingerprintTools and detectToolDrift to catch MCP tools whose descriptions or schemas are silently mutated after you trust them — the attack the release notes name directly as “MCP tool-definition drift (‘rug pull’)”.

The stakes are structural, not hypothetical. The MCP specification allows a server’s tool list to change between calls with no required re-approval and no integrity check — that is a protocol property, not a bug. Every description, tool name, and argument schema a connected server advertises flows into your agent’s prompt. A server you approved in March can quietly serve different instructions in July, and until now the mainstream JavaScript agent stack had no built-in way to notice.

This guide covers what shipped in the patch, how the rug-pull attack class actually works, the fifteen-month path from proof-of-concept to framework-native defense, an implementation walkthrough on the current v7 API, a decision table for vendoring versus fingerprinting, and — because most coverage undersells this — an honest accounting of what fingerprinting cannot do.

Key takeaways
  1. 01
    ai@7.0.19 ships the first-party drift detector.Published July 9, 2026 — two weeks after AI SDK 7's June 25 GA — the patch adds fingerprintTools and detectToolDrift, explicitly framed at detecting MCP tool-definition drift, the rug pull.
  2. 02
    Rug pulls exploit a protocol property, not a bug.The MCP spec (2025-11-25) lets a server's tools/list response change between calls with no re-approval or integrity check. Invariant Labs demonstrated the attack class on April 1, 2025.
  3. 03
    The SDK detects; your app decides.fingerprintTools pins description, input schema, and title at trust time; detectToolDrift diffs a later fetch against that baseline. Storage and enforcement — block, warn, re-approve — are left to the application.
  4. 04
    It cannot catch a server malicious from day one.Fingerprinting only helps after a legitimate baseline exists. A server that ships poisoned tool descriptions on first contact gets fingerprinted as-is — that is the original tool-poisoning case, and it needs different controls.
  5. 05
    Treat it as one layer, not the stack.Layer fingerprinting with static vendoring for high-stakes tools, server allowlisting, human approval gates on sensitive operations, and the AI SDK 7 split between model-visible and app-only tools.

01What ShippedA security patch, two weeks after AI SDK 7 went GA.

AI SDK 7 shipped on June 25, 2026 with an agent-focused feature set: opt-in HMAC-signed tool approvals to prevent forged approvals, a WorkflowAgent for durable workflows, a HarnessAgent API for deploying across coding-agent runtimes, and a new separation between model-visible tools and app-only tools for MCP servers. Fourteen days later, ai@7.0.19 (July 9, 2026, 18:07 UTC) extended that security posture to the tool definitions themselves — the first framework-native drift-detection primitive we have seen land in a mainstream JavaScript agent SDK.

The two headline utilities work as a pair. One captures a trusted snapshot; the other compares reality against it later.

Pin
fingerprintTools
import { fingerprintTools } from “ai”

Computes a fingerprint over the server-controlled fields of a tool set — each tool's description, input schema, and title — at the moment your team approves the integration. That snapshot is your trust baseline.

Capture at approval time
Diff
detectToolDrift
import { detectToolDrift } from “ai”

Diffs a freshly computed fingerprint against the stored baseline and surfaces injected descriptions or silently widened schemas before the tools ever reach the model. What happens next — block, warn, re-approve — is your application's call.

Compare before every run
Also in the same patch
ai@7.0.19 is a broader integrity release than the two headline functions. It hardened tool-name resolution against prototype-pollution-style lookups — tool names matching inherited Object.prototype properties such as constructor, toString, valueOf, and __proto__ are now treated as unconfigured rather than resolving to prototype values, across approval resolution, tool-call parsing, and execution paths. It also preserves tool-approval signatures when an approval transitions to responded, keeping the HMAC-signed approval flow intact mid-conversation.

One packaging detail worth getting right on day one: the fingerprint utilities import from the core ai package, while createMCPClient — the MCP client constructor you use them alongside — ships from the separate @ai-sdk/mcp package in AI SDK 7. Several older tutorials still show the v5/v6-era experimental_createMCPClient import; that is not the current API. The v7 MCP client supports three transports: HTTP (recommended for production), SSE as a production alternative, and stdio for local development only.

02The Attack ClassThe rug pull: trust granted once, revised silently.

Elastic Security Labs’ September 2025 definition is the cleanest one in circulation: a rug pull occurs when “a tool’s description or behavior is silently altered after user approval, turning a previously benign tool potentially malicious.” The key phrase is after user approval. Unlike a phishing lure, the attack does not need you to make a bad decision — it needs you to make a good decision once, and then it changes the thing you decided about.

The canonical proof-of-concept comes from Invariant Labs, which first publicly documented the attack class on April 1, 2025. Their demo server exposes a benign “get fact of the day” tool. The client reviews it, approves it, everything works. On a later tools/list call, the server swaps in a poisoned description that instructs the agent to misuse a separately connected, fully legitimate WhatsApp MCP server — exfiltrating chat history to an attacker-controlled number. The malicious server never touches the data itself; it steers the agent’s hands.

Why is this possible at all? Because the MCP specification (2025-11-25 is current at this writing) allows a server’s tools/list response to change between calls with no required re-approval and no integrity check. Security researcher Nasser Ali Alzahrani put it bluntly in ReversingLabs’ April 2026 coverage: “Your AI agent’s tools can change after you approve them, without triggering any notification or re-consent. The MCP spec allows this by design.” It is a different failure mode from agentjacking, a related MCP attack pattern where a server is hostile from first contact — rug pulls specifically weaponize the time gap between approval and use.

"Without hashing or version-pinning, there is no mechanism to detect that a tool changed between the moment you approved it and the moment your agent called it. MCP shipped without either checksums or signed packages that solved this for traditional software supply chains decades ago."— Dan Graves, Chief Product Officer, WitnessAI · via ReversingLabs, April 2026

The attack surface this targets keeps compounding. Public registries tracked roughly 10,000+ MCP servers by April 2026, up from about 6,800 at year-end 2025 — a 47% jump in four months, per third-party registry aggregates (PulseMCP, the official MCP registry, Smithery, mcp.so, and npm keyword tags). Every one of those servers is a party whose tool text your agent may be ingesting as trusted prompt content.

Public MCP servers tracked — the growing surface rug pulls target

Source: registry aggregate (PulseMCP, official MCP registry, Smithery, mcp.so, npm tags) — not an official MCP-project metric
Year-end 2025third-party registry aggregate
~6,800
April 2026+47% in four months
~10,000+

03TimelineRoughly fifteen months from proof-of-concept to framework-native defense.

No single source lays out the full chronology, so we assembled it. From Invariant Labs naming the attack on April 1, 2025 to Vercel shipping a native detection primitive on July 9, 2026 is a little over fifteen months — a window in which the mitigation ideas moved steadily downstream: from security-research blogs, to a formal threat-modeling paper, to vendor guidance, to code in the default toolchain.

Timeline of the MCP rug-pull attack class from first public documentation to the first framework-native defense: Invariant Labs (April 2025), the ETDI threat-modeling paper (June 2025), Vercel’s static-vendoring post (September 2025), Elastic Security Labs’ defense recommendations (September 2025), ReversingLabs’ industry analysis (April 2026), and the AI SDK ai@7.0.19 release (July 2026). Compiled by Digital Applied from the individually cited sources.
DateActorWhat happenedType
Apr 1, 2025Invariant LabsNames tool poisoning and demonstrates the rug pull: post-approval description swap steering a legitimate WhatsApp MCP server into exfiltrationResearch finding + PoC
Jun 2025ETDI paper (academic)Formal threat model proposing cryptographic signing and OAuth-scoped capabilities as rug-pull mitigationsMitigation proposal
Sep 17, 2025Vercelmcp-to-ai-sdk: generate static, codebase-locked AI SDK tool definitions from an MCP server — vendoring as the fixShipped tooling
Sep 19, 2025Elastic Security LabsDefense recommendations: human approval on sensitive operations, no always-allow settings in privileged environmentsDefense guidance
Apr 29, 2026ReversingLabsFrames rug pulls as a named subcategory — post-deployment drift attacks in AI systems — with CISO and researcher commentaryIndustry analysis
Jul 9, 2026Vercelai@7.0.19 ships fingerprintTools and detectToolDrift — pin and diff, productized at the framework layerShipped code

Two things stand out in that chronology. First, the shipped mechanism is not new thinking — Invariant’s own 2025 mitigation list already recommended pinning MCP server versions via hashes and checksums; the ETDI paper formalized signing a few months later. What changed in July 2026 is where the control lives: in the framework developers already import, rather than in a security product they would have to go find. Second, the interval matters as a signal. Randolph Barr, CISO at Cequence Security, called this “the early emergence of a distinct category worth naming: post-deployment drift attacks in AI systems, more colloquially known as ‘rug pulls.’” When an attack class gets a name, a formal model, vendor guidance, and then first-party framework support inside fifteen months, that is the security ecosystem treating agentic tooling as production infrastructure — the same trajectory dependency signing took in traditional supply-chain security, compressed.

04MechanicsPin at trust time, diff on every refetch.

The mental model is a lockfile for tool definitions. fingerprintTools pins the three server-controlled fields of each tool — description, input schema, and title — at the moment you decide to trust the server. detectToolDrift compares any later fingerprint against that baseline and surfaces what changed, before the tool text reaches the model’s context. On the current v7 API, the whole loop looks like this:

import { createMCPClient } from "@ai-sdk/mcp";
import { detectToolDrift, fingerprintTools } from "ai";

const mcpClient = await createMCPClient({
  transport: { /* HTTP transport — recommended for production */ },
});

// 1. At trust time — after your team reviews the tool set
const tools = await mcpClient.tools();
const baseline = await fingerprintTools(tools);
// Persist the baseline yourself: DB row, KV entry, or committed JSON.

// 2. Before each later run — refetch, re-fingerprint, diff
const current = await fingerprintTools(await mcpClient.tools());
const drift = detectToolDrift(current, baseline);

// 3. The SDK stops here. Blocking, warning, or re-prompting
//    for human approval is your application's decision.

The comments in steps one and three are the part teams miss. The SDK computes and diffs fingerprints — nothing more. It does not persist the baseline, and it does not enforce anything when drift is found. Where you store the baseline and what a drift event triggers (fail closed, alert and continue, or route to a human re-approval queue) are application decisions, and they are the decisions that determine whether this control has teeth. A drifted description is, functionally, a prompt-injection payload delivered through your tool channel — which is why we treat drift detection as the tool-gating layer in our 12-layer prompt-injection defense framework.

Version context matters here too. As we covered in our AI SDK 6 deep dive, v6’s MCP support was stable infrastructure for connecting to and calling MCP tools — but it shipped no fingerprinting or diffing utility. If you are on v6, this primitive is a reason to plan the v7 move, not something to backport by hand. Note also that mcpClient.tools() has two modes: automatic schema discovery (everything the server advertises, types inferred from server-provided schemas) or explicit developer-defined schemas per tool name for compile-time type safety. Explicit schemas are themselves a drift dampener — you consume only the tools you declared.

Pinned at trust time
Description · schema · title
3fields

fingerprintTools covers the server-controlled fields that flow into your agent's prompt — the exact fields the Invariant PoC mutated after approval.

fingerprintTools
Enforcement built in
The app decides
0

detectToolDrift only reports. Baseline storage, blocking, alerting, and re-approval flows are deliberately left to the application layer.

your persistence + policy
Transports in v7
HTTP · SSE · stdio
3

HTTP is recommended for production, SSE is the alternative, stdio is local-development only. The old HTTP+SSE transport from the 2024-11-05 spec was retired on 2025-03-26.

@ai-sdk/mcp client

05Trust StrategiesVendor, fingerprint, or trust blindly — the real trade-off.

Here is the framing most coverage of this release misses: Vercel already shipped a fix for tool drift once. In September 2025, its mcp-to-ai-sdk tool proposed a heavier-weight answer — generate static AI SDK tool definitions from an MCP server and lock the schemas into your codebase, so the live server’s text never reaches your prompt at all. The July 2026 fingerprint utilities are the lightweight runtime alternative for teams that still want to call the live server and keep receiving its legitimate updates. These are two points on one spectrum of trust strategies, and they fit different tools.

"Tool names, descriptions, and argument schemas become part of your agent's prompt and can change unexpectedly without warning."— Malte Ubl and Andrew Qu, Vercel · September 2025
Comparison of three MCP tool-trust strategies — static vendoring with mcp-to-ai-sdk, runtime fingerprint-and-diff with fingerprintTools and detectToolDrift, and no integrity control — across what each catches, whether it tracks legitimate server updates, engineering overhead, and best fit. Digital Applied synthesis of publicly documented mechanics; no single source publishes this comparison.
StrategyDescription driftSchema wideningDay-one-malicious serverLegit server updatesBest fit
Static vendoringmcp-to-ai-sdk · schemas locked in codebaseBlocked — the live description never enters your promptBlocked — schema is frozen at generation timeNot by itself — you vendor whatever the server served; code review at generation time is the checkMissed — requires manual regeneration to pick upHigh-stakes tools on stable servers; crown-jewel data scopes
Fingerprint + difffingerprintTools · detectToolDrift · ai@7.0.19+Detected on refetch — app must then actDetected — widened inputs diff against the pinned schemaMissed — the baseline fingerprints the malicious definitions as trustedFlagged — every legitimate update also surfaces as drift for re-reviewLive servers that update; medium-trust third-party integrations
No integrity controlautomatic schema discovery only — the status quoMissed entirelyMissed entirelyMissed entirelyFollowed silently — including the malicious onesThrowaway prototypes with no real data access

The subtlety in the middle row is worth naming: fingerprinting flags every change, hostile or benign. A server that legitimately improves a tool description will trip the same diff a rug pull does. That is a feature, not noise — it converts silent change into an explicit re-approval event — but it means teams need a review workflow, not just an alert channel, or drift warnings will get rubber-stamped the way certificate warnings once were.

Crown-jewel scopes
CRM, payments, email send

Vendor the tool definitions statically and review regenerations like dependency bumps. A drifted description near money or customer data should never be a runtime surprise.

Vendor (mcp-to-ai-sdk)
Living integrations
Third-party servers that update

Fingerprint at approval, diff before every run, and route drift to a human re-approval queue. You keep the server's legitimate improvements without inheriting silent changes.

Fingerprint + diff
Belt and suspenders
High-value agent fleets

Do both: vendored definitions for the sensitive subset, fingerprint-and-diff on everything else, plus HMAC-signed approvals and per-tool human gates from AI SDK 7's agent controls.

Layer both
Prototypes
Local experiments, no real data

Automatic schema discovery over stdio is fine for a local spike. The moment a prototype touches production credentials or customer data, it graduates into one of the rows above.

Discovery is acceptable

06Honest LimitsWhat fingerprinting cannot do.

Most coverage of this feature — and of MCP security generally — undersells its boundaries. Four limits deserve plain statement.

It cannot catch a server malicious from day one. Fingerprinting pins fields at trust time. If the very first tools/list response already carries poisoned descriptions — the original tool-poisoning case Invariant Labs documented — then the poison is the baseline, and every later diff comes back clean. Drift detection only helps after a legitimate baseline exists; establishing that the baseline is legitimate requires different controls: source review, server allowlisting, reputation, and reading the tool text a human actually approves.

It detects; it does not prevent. Per the docs and release notes, the SDK computes and diffs fingerprints — it does not block a drifted tool, quarantine a server, or re-prompt anyone. An app that logs drift to a dashboard nobody watches has, in practice, no control at all. Fail-closed handling is yours to build.

It pins definitions, not behavior. The fingerprint covers description, input schema, and title. A server whose tool text stays byte-identical while its implementation changes what it does with your data will never trip the diff. Elastic’s definition explicitly includes behavior changes in the rug-pull class; definition fingerprinting addresses the description half, not the behavior half. Output monitoring and least-privilege scopes cover the rest.

Your baseline is only as safe as its storage. The SDK leaves persistence to you. A baseline stored where the attacker — or the compromised server’s SDK integration — can rewrite it is a control that can be rug-pulled itself. Treat the baseline like a lockfile: version it, review changes to it, and keep write access away from the runtime path.

Threat status, honestly stated
As of this writing, we found no publicly confirmed in-the-wild rug-pull incident with a named victim — the most recent tracker snapshot we reviewed (April 2026) reported none, and that could change at any time. Rug pulls remain a demonstrated, formally recognized threat class rather than a documented breach pattern. That is the cheapest possible moment to deploy a detection control: before the first incident report, not after yours.

Looking forward, the protocol-level gap is still open — the MCP spec itself requires no tool-definition integrity check, so every defense today lives client-side. The ETDI line of work (cryptographic signing, OAuth-scoped capabilities) sketches what a protocol-native fix could look like; until something like it lands in the specification, expect more frameworks to follow Vercel’s pattern and ship client-side pin-and-diff primitives. Our projection: within a couple of release cycles, drift detection defaulting to on — not opt-in — becomes the differentiator among agent frameworks, the way lockfiles went from novelty to table stakes in package managers.

07Layered DefenseOne control in a stack, not the stack.

Fingerprinting earns its keep as one layer in a deliberate stack. Here is the order we implement for client teams running MCP-backed agents in production:

  • Allowlist servers before anything else. Decide which MCP servers may be connected at all, and treat additions like dependency adoption — provenance, maintainer, and a read of the actual tool text. Fingerprinting a server you should never have connected is theater.
  • Vendor the crown jewels. For tools that touch payments, CRM records, or outbound email, lock definitions into the codebase mcp-to-ai-sdk-style and review regenerations in pull requests.
  • Fingerprint and diff everything live. Baseline at approval, diff before every run, fail closed on drift, and route changes to a human re-approval queue with the old and new text side by side.
  • Gate sensitive operations on a human. Elastic’s recommendation stands regardless of fingerprinting: require human approval for sensitive operations and avoid always-allow or auto-run settings for tools touching sensitive data or running in high-privilege environments. Fingerprinting catches the drift; approval gates cap the blast radius when something slips through.
  • Use AI SDK 7’s trust boundaries. Keep app-only tools out of the model’s context entirely (they render in a sandboxed iframe and never become prompt text), and turn on HMAC-signed tool approvals so an approval cannot be forged even by injected content.
  • Prefer HTTP transport in production. stdio is local-development only and cannot be deployed; HTTP is the recommended production transport in v7.

If you want the exhaustive version of this exercise, run the 75-point MCP security audit — tool-definition integrity is one family of checks among many — and pair it with our full MCP security best-practices guide for the server-side view. For teams that want this implemented rather than read about, our AI transformation engagements include exactly this kind of agent-security hardening as part of production rollout.

08ConclusionA lockfile moment for agent tooling.

The bottom line, July 2026

Fingerprint what you trust, and decide in advance what happens when it changes.

ai@7.0.19 is a small patch with a large signal: the mainstream JavaScript agent stack now ships a first-party answer to the MCP rug pull. fingerprintTools pins the description, schema, and title you approved; detectToolDrift tells you when reality diverges. That closes the exact gap security researchers spent fifteen months documenting — the silent window between the moment you approve a tool and the moment your agent calls it.

The honest framing is just as important as the feature. This is detection, not prevention: the SDK will not store your baseline, block a drifted tool, or save you from a server that was hostile on first contact. Teams that treat the fingerprint as a complete defense will get exactly the false confidence that makes the next incident report worse.

Treat it instead the way you treat a lockfile — one precise, cheap, automatic integrity check inside a broader supply-chain discipline of allowlists, vendored definitions for sensitive scopes, human approval gates, and least privilege. Baseline your connected servers this week, wire drift to a fail-closed path, and you will have converted a silent attack window into a reviewable event — which is most of what supply-chain security has ever meant.

Ship agents you can actually trust

Your agents are only as trustworthy as the tools they were handed.

Our team hardens MCP-backed agent stacks for production — tool allowlisting, drift detection wiring, approval gates, and the audit trail to prove it — delivered in days, not quarters.

Free consultationExpert guidanceTailored solutions
What we work on

Agent-security engagements

  • MCP server allowlisting & tool-definition review
  • fingerprintTools / detectToolDrift rollout & fail-closed wiring
  • Human approval gates for sensitive agent operations
  • AI SDK 6 → 7 migrations with security hardening
  • Agent supply-chain audits across MCP integrations
FAQ · MCP tool drift

The questions we get every week.

They are two utilities added to the core ai package in ai@7.0.19, published July 9, 2026. fingerprintTools computes a fingerprint over the server-controlled fields of an MCP tool set — each tool's description, input schema, and title — which you capture at the moment you approve the integration and persist as a trust baseline. detectToolDrift diffs a later fingerprint against that stored baseline and surfaces injected descriptions or silently widened schemas before the tools reach the model. The release notes frame the pair explicitly as detecting MCP tool-definition drift, colloquially known as the rug pull. The SDK only fingerprints and diffs; storing the baseline and deciding what happens on detected drift are left to your application.
Related dispatches

Continue exploring agent security.