Rule catalog · MCP discovery posture

tools/list returned a tool array

mcp_tools_list_succeededinfoweight 1Post-handshake

Authored by Stanley Hong · AgentReserve (founder).

The MCP `tools/list` call returned an array (possibly empty) rather than failing. This is a precondition for the rest of the tool-surface evaluation and a baseline indicator that the server speaks MCP correctly.

When this rule runs

Requires a successful MCP `initialize` / `tools/list`. Skipped on perimeter-only scans where the server refused or failed the MCP handshake.

Why it matters

Without a `tools/list` array — even an empty one — there is nothing to review. Auth-walled servers signal this differently (with WWW-Authenticate); see `auth_discovery_advertised_when_required`.

Pass condition

`tools/list` returned an array (length zero or more).

Fail condition

`tools/list` did not return an array (probe-level failure).

Evidence examples

When the rule fails, the report records evidence in roughly this shape:

```
{"toolsListPresent": false}
```

Remediation

Implement `tools/list` per the MCP spec; return an empty array if the server has no callable tools.

Methodology

This rule belongs to the MCP discovery posture dimension. Whether the server cooperates with the MCP handshake — protocol version negotiation, capability flags, and other discovery signals clients depend on.

Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.

← Back to rule catalog