[alexandriaeden]

Thanks — the economic friction approach is interesting. Curated registries and local scanning solve different parts of the problem though. A registry gate catches bad actors at listing time, but the rug pull attack happens after approval: a server passes review with clean tool descriptions, gets installed by users, then silently updates its definitions. That's the gap tool pinning covers — you hash the definitions you approved and detect any change, even from a previously-trusted server.

The other thing is that many MCP servers never go through a registry at all. Internal tools, company-specific integrations, anything installed from a direct GitHub link. Those need scanning at the point of installation, not the point of listing.

Both approaches are complementary. Happy to compare notes on detection rules if you want to cross-reference what your content review catches vs. what the pattern matcher flags.