v0.2.0 · live
CAPFRAME
← leaderboard/SpaceMolt/tool · buy_ship_license
§ toolhttpSpaceMolt

buy_ship_license

on https://game.spacemolt.com/mcp

Severity

critical0
high1
medium2
low0
info0

3 findings on this tool

  1. highexcessive agencyf-r3-buy_ship_license

    Tool `buy_ship_license` name implies a side effect that is not declared

    `buy_ship_license` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

    OWASP LLM08NIST MEASURE-2.6ATLAS T0051
  2. mediumunconstrained inputf-r1-buy_ship_license

    Tool `buy_ship_license` accepts unconstrained string input

    The following string parameter(s) have no `maxLength` constraint: `empire`, `session_id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

    OWASP LLM01NIST MEASURE-2.3ATLAS T0051
  3. mediumexcessive agencyf-r5-buy_ship_license

    Tool `buy_ship_license` description mentions money but no `money` side-effect is declared

    Description: "Buy an empire shipbuilding license so your faction can build that empire's hulls at its own stations (Ship hulls are normally empire-exclusive — you can only commission them in that empire's territory. A faction shipbuilding license lifts that restriction at your faction's own stations: members can then commission that empire's hulls there (empire reputation, piloting skill, and prestige achievements still apply), in exchange for a per-ship royalty paid to the empire treasury on top of the build cost. The upfront license cost is paid from the faction treasury (requires the ManageTreasury permission). One license per empire; it covers all of the faction's stations.)" -- this references money/payment/refund/etc., but the declared side_effects ([]) don't include `money`. A capframe-bind policy that relies on declared side_effects to scope spend caveats will under-scope this tool.

    fix: Add `money` to the tool's `side_effects` declaration, or rewrite the description to clarify that no actual money moves.

    OWASP LLM08NIST MEASURE-2.6ATLAS T0040

About this tool

buy_ship_license is one of 194 tools exposed by SpaceMolt. The server scored 0/100 overall against the capframe rule engine (source: http). Last scanned 2026-06-20.

The findings above are emitted by the public capframe.findings.v1 schema. Disagree with one? Open an issue.