v0.2.0 · live
CAPFRAME
← leaderboard/rank #55
§ serverhttpfindings.v2

Manifold Markets MCP

https://api.manifold.markets/v0/mcp

Score
B88
Findings
5
Tools
5
Last scan
2026-06-05

Severity breakdown

Critical0
High1
Medium4
Low0
Info0

Worst finding

Tool `get-bets` accepts an unbounded monetary / quota value

· get-bets

The numeric parameter(s) `minAmount` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

All 5 findings

  1. high
    Tool `get-bets` accepts an unbounded monetary / quota value· get-betsexcessive agency

    The numeric parameter(s) `minAmount` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

    fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

  2. medium
    Tool `search-markets` accepts unconstrained string input· search-marketsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `contractType`, `creatorId`, `filter`, `sort`, `term`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  3. medium
    Tool `get-market` accepts unconstrained string input· get-marketunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  4. medium
    Tool `get-user` accepts unconstrained string input· get-userunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `username`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  5. medium
    Tool `search-users` accepts unconstrained string input· search-usersunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `term`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

How this was scored

Source http live HTTP MCP endpoint, classified against every rule. Findings are emitted by the public capframe.findings.v1 schema. Score = 100 − (10·Critical + 4·High + 2·Medium + 1·Low), clamped to [0, 100].

Disagree with a finding? Open an issue.