v0.2.0 · live
CAPFRAME

hf_fs

on https://huggingface.co/mcp

Severity

critical0
high1
medium1
low0
info0

2 findings on this tool

  1. highssrf surfacef-r8-hf_fs

    Tool `hf_fs` accepts an unconstrained URL / endpoint parameter

    The parameter(s) `uri` look like URL or endpoint inputs but carry no `pattern` or `enum` constraint. An agent tricked by an indirect-injection payload can invoke this tool with an internal-service URL (e.g. `http://169.254.169.254/`) to exfiltrate cloud metadata, probe internal APIs, or pivot to services the host can reach but the caller cannot.

    fix: Constrain the URL parameter with an allow-list `enum`, or a `pattern` that restricts scheme and domain. Validate server-side against an allow-list and reject private / loopback / link-local address ranges at the HTTP client level.

    OWASP LLM07NIST MANAGE-2.2ATLAS T0051CAST-02
  2. mediumunconstrained inputf-r1-hf_fs

    Tool `hf_fs` accepts unconstrained string input

    The following string parameter(s) have no `maxLength` constraint: `glob`, `uri`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

    OWASP LLM01NIST MEASURE-2.3ATLAS T0051CAST-03

About this tool

hf_fs is one of 8 tools exposed by Hugging Face Hub MCP. The server scored 70/100 overall against the capframe rule engine (source: http). Last scanned 2026-07-02.

The findings above are emitted by the public capframe.findings.v1 schema. Disagree with one? Open an issue.