v0.2.0 · live
CAPFRAME
← leaderboard/rank #57
§ serverhttpfindings.v2

AWS Knowledge MCP

https://knowledge-mcp.global.api.aws

Score
B88
Findings
5
Tools
6
Last scan
2026-06-05

Severity breakdown

Critical0
High1
Medium4
Low0
Info0

Worst finding

Tool `aws___search_documentation` accepts an unbounded monetary / quota value

· aws___search_documentation

The numeric parameter(s) `limit` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

All 5 findings

  1. high
    Tool `aws___search_documentation` accepts an unbounded monetary / quota value· aws___search_documentationexcessive agency

    The numeric parameter(s) `limit` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

    fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

  2. medium
    Tool `aws___search_documentation` accepts unconstrained string input· aws___search_documentationunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `search_phrase`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  3. medium
    Tool `aws___recommend` accepts unconstrained string input· aws___recommendunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `url`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  4. medium
    Tool `aws___get_regional_availability` accepts unconstrained string input· aws___get_regional_availabilityunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `next_token`, `region`, `resource_type`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  5. medium
    Tool `aws___retrieve_skill` accepts unconstrained string input· aws___retrieve_skillunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `file`, `skill_name`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

How this was scored

Source http live HTTP MCP endpoint, classified against every rule. Findings are emitted by the public capframe.findings.v1 schema. Score = 100 − (10·Critical + 4·High + 2·Medium + 1·Low), clamped to [0, 100].

Disagree with a finding? Open an issue.