v0.2.0 · live
CAPFRAME
← leaderboard/rank #74
§ serverregistryfindings.v2

phantom-wallet-mcp

npm:@phantom/mcp-server@1.2.7

github.com/phantom

Score
C58
Findings
14
Tools
30
Last scan
2026-06-27

Severity breakdown

Critical0
High7
Medium7
Low0
Info0

Worst finding

Tool `solana_send` name implies a side effect that is not declared

· solana_send

`solana_send` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

All 14 findings

  1. high
    Tool `solana_send` name implies a side effect that is not declared· solana_sendexcessive agency

    `solana_send` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  2. high
    Tool `evm_send` name implies a side effect that is not declared· evm_sendexcessive agency

    `evm_send` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  3. high
    Tool `transfer` name implies a side effect that is not declared· transferexcessive agency

    `transfer` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  4. high
    Tool `buy` name implies a side effect that is not declared· buyexcessive agency

    `buy` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  5. high
    Tool `pay` name implies a side effect that is not declared· payexcessive agency

    `pay` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  6. high
    Tool `perps_cancel` name implies a side effect that is not declared· perps_cancelexcessive agency

    `perps_cancel` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  7. high
    Tool `perps_transfer` name implies a side effect that is not declared· perps_transferexcessive agency

    `perps_transfer` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  8. medium
    Tool `wallet_balances` description mentions money but no `money` side-effect is declared· wallet_balancesexcessive agency

    Description: "Returns token balances for the connected wallet." -- this references money/payment/refund/etc., but the declared side_effects ([]) don't include `money`. A capframe-bind policy that relies on declared side_effects to scope spend caveats will under-scope this tool.

    fix: Add `money` to the tool's `side_effects` declaration, or rewrite the description to clarify that no actual money moves.

  9. medium
    Tool `wallet_rebalance` description mentions money but no `money` side-effect is declared· wallet_rebalanceexcessive agency

    Description: "Rebalance the wallet portfolio to a target allocation." -- this references money/payment/refund/etc., but the declared side_effects ([]) don't include `money`. A capframe-bind policy that relies on declared side_effects to scope spend caveats will under-scope this tool.

    fix: Add `money` to the tool's `side_effects` declaration, or rewrite the description to clarify that no actual money moves.

  10. medium
    Tool `transfer` description mentions money but no `money` side-effect is declared· transferexcessive agency

    Description: "Transfer tokens between wallets on Solana or EVM chains." -- this references money/payment/refund/etc., but the declared side_effects ([]) don't include `money`. A capframe-bind policy that relies on declared side_effects to scope spend caveats will under-scope this tool.

    fix: Add `money` to the tool's `side_effects` declaration, or rewrite the description to clarify that no actual money moves.

  11. medium
    Tool `buy` description mentions money but no `money` side-effect is declared· buyexcessive agency

    Description: "Buy a token with another token (swap)." -- this references money/payment/refund/etc., but the declared side_effects ([]) don't include `money`. A capframe-bind policy that relies on declared side_effects to scope spend caveats will under-scope this tool.

    fix: Add `money` to the tool's `side_effects` declaration, or rewrite the description to clarify that no actual money moves.

  12. medium
    Tool `pay` description mentions money but no `money` side-effect is declared· payexcessive agency

    Description: "Pay for API access using tokens." -- this references money/payment/refund/etc., but the declared side_effects ([]) don't include `money`. A capframe-bind policy that relies on declared side_effects to scope spend caveats will under-scope this tool.

    fix: Add `money` to the tool's `side_effects` declaration, or rewrite the description to clarify that no actual money moves.

  13. medium
    Tool `get_token_price` fetches external web content -- indirect-injection surface· get_token_priceindirect injection

    Description: "Fetch the current price of a token by its address and chain." -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

    fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

  14. medium
    Tool `perps_transfer` description mentions money but no `money` side-effect is declared· perps_transferexcessive agency

    Description: "Transfer funds between spot and perps accounts." -- this references money/payment/refund/etc., but the declared side_effects ([]) don't include `money`. A capframe-bind policy that relies on declared side_effects to scope spend caveats will under-scope this tool.

    fix: Add `money` to the tool's `side_effects` declaration, or rewrite the description to clarify that no actual money moves.

How this was scored

Source registry tool surface extracted from the package's README + manifest (R3/R5/R6/R7 fire; schema-dependent rules deferred). Findings are emitted by the public capframe.findings.v1 schema. Score = 100 − (10·Critical + 4·High + 2·Medium + 1·Low), clamped to [0, 100].

Disagree with a finding? Open an issue.