Hugging Face Hub MCP

All 8 findings

1. high
   Tool `space_search` accepts an unbounded monetary / quota value· space_searchexcessive agency

   The numeric parameter(s) `limit` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

   fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

2. high
   Tool `paper_search` accepts an unbounded monetary / quota value· paper_searchexcessive agency

   The numeric parameter(s) `results_limit` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

   fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

3. high
   Tool `hub_repo_details` accepts an unbounded monetary / quota value· hub_repo_detailsexcessive agency

   The numeric parameter(s) `limit` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

   fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

4. medium
   Tool `hub_repo_search` accepts unconstrained string input· hub_repo_searchunconstrained input

   The following string parameter(s) have no `maxLength` constraint: `author`, `query`, `sort`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

5. medium
   Tool `hub_repo_details` accepts unconstrained string input· hub_repo_detailsunconstrained input

   The following string parameter(s) have no `maxLength` constraint: `config`, `repo_type`, `split`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

6. medium
   Tool `hf_doc_search` accepts unconstrained string input· hf_doc_searchunconstrained input

   The following string parameter(s) have no `maxLength` constraint: `product`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

7. medium
   Tool `hf_doc_fetch` fetches external web content -- indirect-injection surface· hf_doc_fetchindirect injection

   Description: "Fetch a document from the Hugging Face or Gradio documentation library. For large documents, use offset to get subsequent chunks." -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

   fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

8. medium
   Tool `gr1_z_image_turbo_generate` accepts unconstrained string input· gr1_z_image_turbo_generateunconstrained input

   The following string parameter(s) have no `maxLength` constraint: `prompt`, `resolution`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.