server-gmail-autoauth-mcp
npm:@gongrzhe/server-gmail-autoauth-mcp@1.1.11
github.com/gongrzhe/server-gmail-autoauth-mcp
Severity breakdown
Worst finding
Tool `savePath` name implies a side effect that is not declared
· savePath
`savePath` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.
fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).
All 1 finding
- highTool `savePath` name implies a side effect that is not declared· savePathexcessive agency
`savePath` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.
fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).
How this was scored
Source registry — tool surface extracted from the package's README + manifest (R3/R5/R6/R7 fire; schema-dependent rules deferred). Findings are emitted by the public capframe.findings.v1 schema. Score = 100 − (10·Critical + 4·High + 2·Medium + 1·Low), clamped to [0, 100].
Disagree with a finding? Open an issue.