tavily-mcp

All 8 findings

1. high
   Tool `tavily_crawl` accepts an unbounded monetary / quota value· tavily_crawlexcessive agency

   The numeric parameter(s) `limit` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

   fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

2. high
   Tool `tavily_map` accepts an unbounded monetary / quota value· tavily_mapexcessive agency

   The numeric parameter(s) `limit` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

   fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

3. medium
   Tool `tavily_search` accepts unconstrained string input· tavily_searchunconstrained input

   The following string parameter(s) have no `maxLength` constraint: `country`, `end_date`, `query`, `search_depth`, `start_date`, `time_range`, `topic`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

4. medium
   Tool `tavily_extract` accepts unconstrained string input· tavily_extractunconstrained input

   The following string parameter(s) have no `maxLength` constraint: `extract_depth`, `format`, `query`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

5. medium
   Tool `tavily_crawl` accepts unconstrained string input· tavily_crawlunconstrained input

   The following string parameter(s) have no `maxLength` constraint: `extract_depth`, `format`, `instructions`, `url`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

6. medium
   Tool `tavily_crawl` fetches external web content -- indirect-injection surface· tavily_crawlindirect injection

   Description: "Crawl a website starting from a URL. Extracts content from pages with configurable depth and breadth." -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

   fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

7. medium
   Tool `tavily_map` accepts unconstrained string input· tavily_mapunconstrained input

   The following string parameter(s) have no `maxLength` constraint: `instructions`, `url`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

8. medium
   Tool `tavily_research` accepts unconstrained string input· tavily_researchunconstrained input

   The following string parameter(s) have no `maxLength` constraint: `input`, `model`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.