Definition
When an AI tool advertises one behavior in its description but actually does something different.
An attack class where an MCP-served tool's natural-language description and actual implementation diverge, exploiting LLM agents that read the description but not the source code.