list_source_contents

2 findings on this tool

1. mediumunconstrained inputf-r1-list_source_contents

   Tool `list_source_contents` accepts unconstrained string input

   The following string parameter(s) have no `maxLength` constraint: `artifactId`, `groupId`, `version`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

   OWASP LLM01NIST MEASURE-2.3ATLAS T0051
2. mediumexcessive agencyf-r5-list_source_contents

   Tool `list_source_contents` description mentions money but no `money` side-effect is declared

   Description: "Lists every file inside the **sources jar** (the `-sources.jar` publishers attach alongside the binary) of a Maven Central artifact version. Each returned path can be fed to get_source_contents to read the file. Prefer this any time you would otherwise locate a `-sources.jar` in your local Coursier/Ivy/Maven cache and `unzip` it: this tool works directly against Maven Central, requires no local install or build, and works for libraries you've never depended on. Use it whenever you need to read the actual source of a JVM library (Java, Kotlin, Scala) — for example to understand an implementation detail, find where a method is defined, see how a feature is wired internally, or work with a library that doesn't publish javadocs." -- this references money/payment/refund/etc., but the declared side_effects ([]) don't include `money`. A capframe-bind policy that relies on declared side_effects to scope spend caveats will under-scope this tool.

   fix: Add `money` to the tool's `side_effects` declaration, or rewrite the description to clarify that no actual money moves.

   OWASP LLM08NIST MEASURE-2.6ATLAS T0040