Capability Identity
Explain how MCPTrust uniquely identifies a tool and why semantic hashing matters.
What is a Capability?
Definition: A capability is a tool (or resource, or prompt) exposed by an MCP server.
Components of a Tool
| Field | Example | Significance |
|---|---|---|
| name | read_file | The identifier agents use to call it |
| description | "Reads a file from disk" | Human-readable documentation |
| inputSchema | {"type":"object","properties":{"path":{"type":"string"}}} | The JSON Schema defining valid arguments |
| riskLevel | MEDIUM | MCPTrust's assessed danger level |
The Identity Problem: Names Are Not Enough
Scenario: Imagine a tool named safe_read. At version 1.0, it reads files. At version 1.1, someone adds an optional --exec flag that executes shell commands.
The Problem: The name didn't change. The description might not change. But the schema changed, and so did the risk.
Solution: MCPTrust hashes the entire shape of the tool, not just its name.
How Hashing Works: Cryptographic Fingerprinting
Algorithm
- Description Hash:
SHA-256(raw_description_bytes)- Exact byte match required. Even adding a space triggers drift.
- Input Schema Hash:
SHA-256(CanonicalJSON(inputSchema))- Keys are sorted alphabetically before hashing.
- Ensures consistent hashes across different JSON serializers.
Code Example (conceptual)
descriptionHash := sha256.Sum256([]byte(tool.Description))
schemaHash := sha256.Sum256([]byte(canonical.JSON(tool.InputSchema)))Drift Types
| Drift Type | What Changed | Severity | Example |
|---|---|---|---|
| tool_added | New tool appeared | Critical | Server added exec_shell |
| tool_removed | Tool disappeared | Info | Server removed read_file |
| tool_changed | Description or Schema changed | Safe / Critical | Description typo fix (Safe) vs Schema change (Critical) |
| risk_level_changed | Risk recategorized | Critical | LOW → HIGH |
| prompt_changed | Prompt definition changed | Safe | Updated system prompt text |
| template_changed | Resource template changed | Safe | Updated URI template pattern |
Why This Matters
- Security Guarantee: If the schema hash changes, you know the tool accepts different inputs than before.
- Attacker Scenario: A supply chain attacker modifies a tool to accept a command argument. Even if the description is unchanged, the schema hash will differ, triggering an alert.