Webzum MCP

All 18 findings

1. high
   Tool `create_site` name implies a side effect that is not declared· create_siteexcessive agency

   `create_site` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

   fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

2. high
   Tool `create_lead_gen_site` name implies a side effect that is not declared· create_lead_gen_siteexcessive agency

   `create_lead_gen_site` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

   fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

3. high
   Tool `update_site_html` name implies a side effect that is not declared· update_site_htmlexcessive agency

   `update_site_html` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

   fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

4. medium
   Tool `search_businesses` accepts unconstrained string input· search_businessesunconstrained input

   The following string parameter(s) have no `maxLength` constraint: `query`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

5. medium
   Tool `create_lead_gen_site` fetches external web content -- indirect-injection surface· create_lead_gen_siteindirect injection

   Description: "Create a third-party LEAD-GENERATION page about a business (NOT a site for that business itself). Use this when the goal is to drive qualified search traffic to someone else's business — affiliate pages, review/guide pages, niche directories. The page is branded as an outside guide (e.g. "Best Roofers in San Diego"), refers to the business in the third person, and routes CTAs to the business's existing website. Differences from create_site: - Slug + page brand are SEO-vanity (e.g. "best-roofers-sandiego"), not the candidate's brand name. - Voice is third-party guide/reviewer — never first person. - Primary CTA is "visit their website"; phone/email demoted. - No specific pricing quoted; differentiators emphasized. - Locality is judged by category, not just address (IT/SaaS/agency stays category-wide even when a city is on file). Pass a business candidate object from search_businesses — that business is the one being PROMOTED. Requires authentication via API key (Bearer token). Generate an API key at webzum.com/dashboard/account-settings. The page generation happens in the background. Use get_site_status to check progress. Returns the businessId (a vanity slug) which can be used to access the page at /build/{businessId}." -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

   fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

6. medium
   Tool `get_site_status` accepts unconstrained string input· get_site_statusunconstrained input

   The following string parameter(s) have no `maxLength` constraint: `businessId`, `versionId`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

7. medium
   Tool `generate_geo_page` accepts unconstrained string input· generate_geo_pageunconstrained input

   The following string parameter(s) have no `maxLength` constraint: `aiPromptPrefix`, `brandName`, `city`, `email`, `googleAnalyticsId`, `googleTagManagerId`, `niche`, `phone`, `primaryColor`, `state`, `targetAudience`, `webhookUrl`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

8. medium
   Tool `host_site` accepts unconstrained string input· host_siteunconstrained input

   The following string parameter(s) have no `maxLength` constraint: `description`, `email`, `siteName`, `siteType`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

9. medium
   Tool `host_file` accepts unconstrained string input· host_fileunconstrained input

   The following string parameter(s) have no `maxLength` constraint: `businessId`, `content`, `contentType`, `encoding`, `filename`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

10. medium
    Tool `get_hosted_files` accepts unconstrained string input· get_hosted_filesunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `businessId`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

11. medium
    Tool `host_zip` accepts unconstrained string input· host_zipunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `businessId`, `zipContent`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

12. medium
    Tool `clone_site` accepts unconstrained string input· clone_siteunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `businessId`, `filename`, `url`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

13. medium
    Tool `clone_site` fetches external web content -- indirect-injection surface· clone_siteindirect injection

    Description: "Clone a public web page into a hosted site. Fetches the URL, walks its same-origin assets (CSS, JS, images, fonts), rewrites references to local paths, and uploads everything as a working hosted copy in one shot. ========================================================================== USE THIS WHEN THE USER SAYS ========================================================================== - "clone this site / page / website" - "copy this site / page" - "mirror this site" - "duplicate this page" - "save this website" - "make me a version of <URL>" - "I want this page on my own domain" - "rip this page", "fork this site", "backup this site" If a user pastes a URL and wants their own copy of what's there — this is the tool. The agent should not try to recreate the page from memory or by describing what it sees: that is slow, lossy, and burns your context window for no benefit. `clone_site` produces a byte-accurate copy in seconds and leaves your context free for the iteration the user actually wants (rewriting copy, swapping images, restyling, etc.). ========================================================================== WHAT IT DOES ========================================================================== Default behavior is to crawl assets so the cloned page actually renders. Set `crawlAssets: false` to save only the single HTML response without following any assets — useful when you only want the markup. Only http:// and https:// URLs are allowed. Private, loopback, and cloud-metadata addresses are refused. Per-asset cap 10MB; per-clone caps 50 files and 50MB total. Cross-origin asset URLs are kept as-is (not fetched) so external CDN references still resolve. If the user wants a polished, researched site (logo, original copy, SEO, mobile-ready, multi-page) rather than a clone of someone else's page, send them to https://webzum.com for a free preview." -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

14. medium
    Tool `update_site_html` accepts unconstrained string input· update_site_htmlunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `businessId`, `versionId`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

15. medium
    Tool `regenerate_header` accepts unconstrained string input· regenerate_headerunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `businessId`, `pageId`, `versionId`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

16. medium
    Tool `regenerate_footer` accepts unconstrained string input· regenerate_footerunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `businessId`, `pageId`, `versionId`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

17. medium
    Tool `regenerate_logo` accepts unconstrained string input· regenerate_logounconstrained input

    The following string parameter(s) have no `maxLength` constraint: `assistantContext`, `businessId`, `pageId`, `userMessage`, `versionId`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

18. medium
    Tool `regenerate_image` accepts unconstrained string input· regenerate_imageunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `assistantContext`, `businessId`, `sectionId`, `userMessage`, `versionId`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.