No description-borne injection vectors

Requires a successful MCP `initialize` / `tools/list`. Skipped on perimeter-only scans where the server refused or failed the MCP handshake.

MCP tool descriptions reach the model verbatim and are often rendered into agent UIs. A description that carries `javascript:` markdown, an inline HTML tag, or a plain-HTTP URL pulls agent-visible content from a channel the operator did not authorize and that the network path can intercept. None of these belong in a tool description.

No tool description contains dangerous markdown link targets, HTML tags, or non-HTTPS inline URLs.

At least one tool description matches one of those patterns.

When the rule fails, the report records evidence in roughly this shape:

• {"hits": [{"toolName": "doc", "kind": "markdown_dangerous_link", "snippet": "[click](javascript:alert(1))"}]}

Strip executable markdown / HTML from tool descriptions and replace any plain-HTTP links with their HTTPS equivalents. Treat the description as a static, plain-text help string — no embedded markup, no callable links.

This rule belongs to the Tool surface risk dimension. What an agent could do if it trusted every advertised tool. Covers destructive actions, credential disclosure, code execution, filesystem mutation, PII handling, prompt-injection-shaped input fields, and injection-bearing tool descriptions — i.e. the agent-specific threat surface, not just generic verb risk.

Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.