Tool input schemas have bounded shape

Requires a successful MCP `initialize` / `tools/list`. Skipped on perimeter-only scans where the server refused or failed the MCP handshake.

An unbounded schema means a reviewer cannot tell what the tool will accept, and an agent's argument layer cannot enforce shape ahead of the call. The three patterns flagged here — `additionalProperties: true`, untyped `object`, and free-form sensitive string fields — are the schema shapes that historically pair with SQL, shell, SSRF, and prompt-injection issues.

No advertised tool's input schema has `additionalProperties: true`, an untyped/open-ended object property, or a sensitive free-form string field without an `enum`, `pattern`, or `format`.

At least one tool's input schema exhibits one of those three broad-shape smells.

When the rule fails, the report records evidence in roughly this shape:

• {"hits": [{"toolName": "run", "kind": "free_form_sensitive_field", "field": "command", "path": "command"}]}

Tighten input schemas: set `additionalProperties: false`, declare `properties` for every nested object, and constrain free-form strings with `enum`, `pattern`, or `format` where the field name implies a sensitive payload.

This rule belongs to the Schema quality dimension. Whether the tool surface is reviewable without invoking it. Tools without input schemas force agents to guess argument shapes; tool names that aren't plain ASCII identifiers confuse logging and allow-listing.

Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.