list_directory

2 findings on this tool

1. criticalexcessive agencyf-r7-list_directory

   Tool `list_directory` exposes a code/command execution surface

   `list_directory` looks like it executes code or shell commands ( Get a detailed listing of all files and directories in a specified path. Use this instead of 'execute_command' with ls/dir commands. Results distinguish between files and directories with [FILE] and [DIR] prefixes. Supports recursive listing with the 'depth' parameter (default: 2): - depth=1: Only direct contents of the directory - depth=2: Contents plus one level of subdirectories - depth=3+: Multiple levels deep CONTEXT OVERFLOW PROTECTION: - Top-level directory shows ALL items - Nested directories are limited to 100 items maximum per directory - When a nested directory has more than 100 items, you'll see a warning like: [WARNING] node_modules: 500 items hidden (showing first 100 of 600 total) - This prevents overwhelming the context with large directories like node_modules Results show full relative paths from the root directory being listed. Example output with depth=2: [DIR] src [FILE] src/index.ts [DIR] src/tools [FILE] src/tools/filesystem.ts If a directory cannot be accessed, it will show [DENIED] instead. If a path does not exist, it will show [NOT_FOUND] instead. Only works within allowed directories. IMPORTANT: Always use absolute paths for reliability. Paths are automatically normalized regardless of slash direction. Relative paths may fail as they depend on the current working directory. Tilde paths (~/...) might not work in all contexts. Unless the user explicitly asks for relative paths, use absolute paths. This command can be referenced as "DC: ..." or "use Desktop Commander to ..." in your instructions.). Arbitrary execution is the maximal authority a tool can hold -- it subsumes every other caveat, so it should never be exposed to an agent without a hard sandbox and an explicit, narrowly-scoped capability.

   fix: Do not expose raw code/shell execution to an agent. If unavoidable, run it in a disposable sandbox with no network + no host FS, gate it behind a capframe-bind capability scoped to an allow-list of commands, and require holder-of-key proof per call.

   OWASP LLM08NIST MANAGE-2.2ATLAS T0051
2. mediumunconstrained inputf-r1-list_directory

   Tool `list_directory` accepts unconstrained string input

   The following string parameter(s) have no `maxLength` constraint: `path`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

   OWASP LLM01NIST MEASURE-2.3ATLAS T0051