v0.2.0 · live
CAPFRAME
← leaderboard/rank #68
§ serverhttpfindings.v2

Roundtable MCP

https://mcp.roundtable.now/mcp

Score
C72
Findings
13
Tools
13
Last scan
2026-06-05

Severity breakdown

Critical0
High1
Medium12
Low0
Info0

Worst finding

Tool `set-thread-visibility` name implies a side effect that is not declared

· set-thread-visibility

`set-thread-visibility` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

All 13 findings

  1. high
    Tool `set-thread-visibility` name implies a side effect that is not declared· set-thread-visibilityexcessive agency

    `set-thread-visibility` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  2. medium
    Tool `list-models` accepts unconstrained string input· list-modelsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `thinking_level`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  3. medium
    Tool `list-sessions` accepts unconstrained string input· list-sessionsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `tool_name`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  4. medium
    Tool `get-session` accepts unconstrained string input· get-sessionunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `session_id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  5. medium
    Tool `get-logs` accepts unconstrained string input· get-logsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `event`, `level`, `session_id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  6. medium
    Tool `get-thread-link` accepts unconstrained string input· get-thread-linkunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `session_id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  7. medium
    Tool `set-thread-visibility` accepts unconstrained string input· set-thread-visibilityunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `session_id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  8. medium
    Tool `consult-council` accepts unconstrained string input· consult-councilunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `format`, `mode`, `thinking_level`, `webhook_url`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  9. medium
    Tool `design-architecture` accepts unconstrained string input· design-architectureunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `scale`, `webhook_url`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  10. medium
    Tool `review-code` accepts unconstrained string input· review-codeunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `language`, `thinking_level`, `webhook_url`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  11. medium
    Tool `plan-implementation` accepts unconstrained string input· plan-implementationunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `thinking_level`, `webhook_url`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  12. medium
    Tool `debug-issue` accepts unconstrained string input· debug-issueunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `thinking_level`, `webhook_url`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  13. medium
    Tool `assess-tradeoffs` accepts unconstrained string input· assess-tradeoffsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `thinking_level`, `webhook_url`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

How this was scored

Source http live HTTP MCP endpoint, classified against every rule. Findings are emitted by the public capframe.findings.v1 schema. Score = 100 − (10·Critical + 4·High + 2·Medium + 1·Low), clamped to [0, 100].

Disagree with a finding? Open an issue.