v0.2.0 · live
CAPFRAME
← leaderboard/rank #60
§ serversandboxfindings.v2

server-everything

npm:@modelcontextprotocol/server-everything@2026.1.26

github.com/modelcontextprotocol/servers

Score
B84
Findings
7
Tools
13
Last scan
2026-06-05

Severity breakdown

Critical0
High1
Medium6
Low0
Info0

Worst finding

Tool `toggle-subscriber-updates` name implies a side effect that is not declared

· toggle-subscriber-updates

`toggle-subscriber-updates` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

All 7 findings

  1. high
    Tool `toggle-subscriber-updates` name implies a side effect that is not declared· toggle-subscriber-updatesexcessive agency

    `toggle-subscriber-updates` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  2. medium
    Tool `echo` accepts unconstrained string input· echounconstrained input

    The following string parameter(s) have no `maxLength` constraint: `message`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  3. medium
    Tool `get-annotated-message` accepts unconstrained string input· get-annotated-messageunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `messageType`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  4. medium
    Tool `get-resource-reference` accepts unconstrained string input· get-resource-referenceunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `resourceType`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  5. medium
    Tool `get-structured-content` accepts unconstrained string input· get-structured-contentunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `location`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  6. medium
    Tool `gzip-file-as-resource` accepts unconstrained string input· gzip-file-as-resourceunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `data`, `name`, `outputType`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  7. medium
    Tool `simulate-research-query` accepts unconstrained string input· simulate-research-queryunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `topic`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

How this was scored

Source sandbox live tools/list captured in an ephemeral Docker container (parameter schemas included → R1/R2/R4 fire). Findings are emitted by the public capframe.findings.v1 schema. Score = 100 − (10·Critical + 4·High + 2·Medium + 1·Low), clamped to [0, 100].

Disagree with a finding? Open an issue.