v0.2.0 · live
CAPFRAME
← leaderboard/rank #81
§ serversandboxfindings.v2

server-github

npm:@modelcontextprotocol/server-github@2025.4.8

Score
D16
Findings
34
Tools
26
Last scan
2026-06-05

Severity breakdown

Critical0
High8
Medium26
Low0
Info0

Worst finding

Tool `create_or_update_file` name implies a side effect that is not declared

· create_or_update_file

`create_or_update_file` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

All 34 findings

  1. high
    Tool `create_or_update_file` name implies a side effect that is not declared· create_or_update_fileexcessive agency

    `create_or_update_file` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  2. high
    Tool `create_repository` name implies a side effect that is not declared· create_repositoryexcessive agency

    `create_repository` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  3. high
    Tool `create_issue` name implies a side effect that is not declared· create_issueexcessive agency

    `create_issue` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  4. high
    Tool `create_pull_request` name implies a side effect that is not declared· create_pull_requestexcessive agency

    `create_pull_request` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  5. high
    Tool `create_branch` name implies a side effect that is not declared· create_branchexcessive agency

    `create_branch` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  6. high
    Tool `update_issue` name implies a side effect that is not declared· update_issueexcessive agency

    `update_issue` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  7. high
    Tool `create_pull_request_review` name implies a side effect that is not declared· create_pull_request_reviewexcessive agency

    `create_pull_request_review` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  8. high
    Tool `update_pull_request_branch` name implies a side effect that is not declared· update_pull_request_branchexcessive agency

    `update_pull_request_branch` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  9. medium
    Tool `create_or_update_file` accepts unconstrained string input· create_or_update_fileunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `branch`, `content`, `message`, `owner`, `path`, `repo`, `sha`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  10. medium
    Tool `search_repositories` accepts unconstrained string input· search_repositoriesunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `query`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  11. medium
    Tool `create_repository` accepts unconstrained string input· create_repositoryunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `description`, `name`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  12. medium
    Tool `get_file_contents` accepts unconstrained string input· get_file_contentsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `branch`, `owner`, `path`, `repo`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  13. medium
    Tool `push_files` accepts unconstrained string input· push_filesunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `branch`, `message`, `owner`, `repo`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  14. medium
    Tool `create_issue` accepts unconstrained string input· create_issueunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `body`, `owner`, `repo`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  15. medium
    Tool `create_pull_request` accepts unconstrained string input· create_pull_requestunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `base`, `body`, `head`, `owner`, `repo`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  16. medium
    Tool `fork_repository` accepts unconstrained string input· fork_repositoryunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `organization`, `owner`, `repo`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  17. medium
    Tool `create_branch` accepts unconstrained string input· create_branchunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `branch`, `from_branch`, `owner`, `repo`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  18. medium
    Tool `list_commits` accepts unconstrained string input· list_commitsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `owner`, `repo`, `sha`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  19. medium
    Tool `list_issues` accepts unconstrained string input· list_issuesunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `direction`, `owner`, `repo`, `since`, `sort`, `state`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  20. medium
    Tool `update_issue` accepts unconstrained string input· update_issueunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `body`, `owner`, `repo`, `state`, `title`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  21. medium
    Tool `add_issue_comment` accepts unconstrained string input· add_issue_commentunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `body`, `owner`, `repo`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  22. medium
    Tool `search_code` accepts unconstrained string input· search_codeunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `order`, `q`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  23. medium
    Tool `search_issues` accepts unconstrained string input· search_issuesunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `order`, `q`, `sort`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  24. medium
    Tool `search_users` accepts unconstrained string input· search_usersunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `order`, `q`, `sort`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  25. medium
    Tool `get_issue` accepts unconstrained string input· get_issueunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `owner`, `repo`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  26. medium
    Tool `get_pull_request` accepts unconstrained string input· get_pull_requestunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `owner`, `repo`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  27. medium
    Tool `list_pull_requests` accepts unconstrained string input· list_pull_requestsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `base`, `direction`, `head`, `owner`, `repo`, `sort`, `state`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  28. medium
    Tool `create_pull_request_review` accepts unconstrained string input· create_pull_request_reviewunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `body`, `commit_id`, `event`, `owner`, `repo`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  29. medium
    Tool `merge_pull_request` accepts unconstrained string input· merge_pull_requestunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `commit_message`, `commit_title`, `merge_method`, `owner`, `repo`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  30. medium
    Tool `get_pull_request_files` accepts unconstrained string input· get_pull_request_filesunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `owner`, `repo`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  31. medium
    Tool `get_pull_request_status` accepts unconstrained string input· get_pull_request_statusunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `owner`, `repo`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  32. medium
    Tool `update_pull_request_branch` accepts unconstrained string input· update_pull_request_branchunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `expected_head_sha`, `owner`, `repo`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  33. medium
    Tool `get_pull_request_comments` accepts unconstrained string input· get_pull_request_commentsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `owner`, `repo`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  34. medium
    Tool `get_pull_request_reviews` accepts unconstrained string input· get_pull_request_reviewsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `owner`, `repo`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

How this was scored

Source sandbox live tools/list captured in an ephemeral Docker container (parameter schemas included → R1/R2/R4 fire). Findings are emitted by the public capframe.findings.v1 schema. Score = 100 − (10·Critical + 4·High + 2·Medium + 1·Low), clamped to [0, 100].

Disagree with a finding? Open an issue.