AgentReserve
Rule catalog · Tool surface risk

Resource URIs do not advertise risky targets

no_dangerous_resource_urishighweight 6Post-handshake

Authored by Stanley Hong · AgentReserve (founder).

No entry returned by `resources/list` advertises a URI that points at the local filesystem (`file://`), plaintext HTTP, a cloud-metadata host (`169.254.169.254`, `metadata.google.internal`), a loopback or RFC 1918 address, a link-local or IPv6 ULA address, or a private-TLD hostname (`*.local`, `*.internal`, …). A client that follows these URIs without further validation is the MCP analogue of an SSRF primitive.

When this rule runs

Requires a successful MCP `initialize` / `tools/list`. Skipped on perimeter-only scans where the server refused or failed the MCP handshake.

Why it matters

MCP clients enumerate resources on connect and many will fetch them eagerly to display a preview. A resource URI that points at `file:///etc/passwd`, `http://169.254.169.254/latest/meta-data/`, or `http://localhost:6379/` weaponises that fetch into a host-compromise primitive — the client surfaces an attacker-chosen file or service back to the agent and the operator. The trust boundary is the same one exploited by classic SSRF.

Pass condition

Every advertised resource URI uses an HTTPS (or other safe non-network) scheme and resolves to a publicly routable hostname.

Fail condition

At least one resource URI uses `file://`, `http://`, an uncommon scheme, or a hostname in the loopback / RFC 1918 / link-local / IPv6 ULA / private-TLD / cloud-metadata families.

Evidence examples

When the rule fails, the report records evidence in roughly this shape:

  • {"hits": [{"kind": "file_scheme", "uri": "file:///etc/passwd", "name": "secrets", "reason": "file:// resource URI — exposes local-filesystem paths."}]}
  • {"hits": [{"kind": "cloud_metadata_host", "uri": "https://169.254.169.254/latest/meta-data/", "name": "aws", "reason": "Cloud metadata host 169.254.169.254 — SSRF pivot."}]}

Remediation

Restrict advertised resource URIs to HTTPS targets on publicly routable hostnames. If a server intentionally exposes local content, surface it through a tool with an authenticated, scoped fetch — not as a list-on-connect resource.

Methodology

This rule belongs to the Tool surface risk dimension. What an agent could do if it trusted every advertised tool. Covers destructive actions, credential disclosure, code execution, filesystem mutation, PII handling, prompt-injection-shaped input fields, and injection-bearing tool descriptions — i.e. the agent-specific threat surface, not just generic verb risk.

Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.

← Back to rule catalog