deploy_one_off_dyno

2 findings on this tool

1. criticalexcessive agencyf-r7-deploy_one_off_dyno

   Tool `deploy_one_off_dyno` exposes a code/command execution surface

   `deploy_one_off_dyno` looks like it executes code or shell commands ( Run code/commands in Heroku one-off dyno with network and filesystem access. Requirements: - Show command output - Use app_info for buildpack detection - Support shell setup commands - Use stdout/stderr Features: - Network/filesystem access - Environment variables - File operations - Temp directory handling Usage: 1. Use Heroku runtime 2. Proper syntax/imports 3. Organized code structure 4. Package management: - Define dependencies - Minimize external deps - Prefer native modules Example package.json: ```json { "type": "module", "dependencies": { "axios": "^1.6.0" } } ``` ). Arbitrary execution is the maximal authority a tool can hold -- it subsumes every other caveat, so it should never be exposed to an agent without a hard sandbox and an explicit, narrowly-scoped capability.

   fix: Do not expose raw code/shell execution to an agent. If unavoidable, run it in a disposable sandbox with no network + no host FS, gate it behind a capframe-bind capability scoped to an allow-list of commands, and require holder-of-key proof per call.

   OWASP LLM08NIST MANAGE-2.2ATLAS T0051
2. mediumunconstrained inputf-r1-deploy_one_off_dyno

   Tool `deploy_one_off_dyno` accepts unconstrained string input

   The following string parameter(s) have no `maxLength` constraint: `command`, `size`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

   OWASP LLM01NIST MEASURE-2.3ATLAS T0051