No admin-control tools in the public surface
Authored by Stanley Hong · AgentReserve (founder).
No advertised tool grants administrative control over the system (shutdown, terminate, revoke, suspend, grant_role, sudo, …). Public administrative control lets any caller take over or disable the host. The check is a keyword scan over name, description, and schema; a status-only tool like `get_subscription_grant` may trip it on the word `grant`. Hard-fail forces `block` so the operator either renames the tool, moves it behind authenticated operator interfaces, or documents the override.
When this rule runs
Requires a successful MCP `initialize` / `tools/list`. Skipped on perimeter-only scans where the server refused or failed the MCP handshake.
Why it matters
Public administrative control lets any caller take over the system or disable it. Lifecycle, role-grant and privilege-escalation actions belong behind authentication and audit, not anonymous discovery.
Pass condition
No tool advertises admin actions (shutdown, terminate, revoke, suspend, grant_role, sudo, …).
Fail condition
At least one tool surfaces admin-control vocabulary in its name, description or schema.
Evidence examples
When the rule fails, the report records evidence in roughly this shape:
{"matches": [{"toolName": "grant_admin", "keyword": "grant", "source": "name"}]}
Remediation
Move admin-control tools behind authenticated operator interfaces. They should never be reachable via anonymous `tools/list`.
Methodology
This rule belongs to the Tool surface risk dimension. What an agent could do if it trusted every advertised tool. Covers destructive actions, credential disclosure, code execution, filesystem mutation, PII handling, prompt-injection-shaped input fields, and injection-bearing tool descriptions — i.e. the agent-specific threat surface, not just generic verb risk.
Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.