No filesystem-write tools in the public surface

Requires a successful MCP `initialize` / `tools/list`. Skipped on perimeter-only scans where the server refused or failed the MCP handshake.

Public filesystem mutation can plant payloads, overwrite configuration, or destroy host state. It also commonly composes with code-execution: write a file, then have the host run it.

No tool advertises mutation of the host filesystem (write_file, delete_file, chmod, mkdir, etc).

At least one tool surfaces filesystem-mutation vocabulary in its name, description or schema.

When the rule fails, the report records evidence in roughly this shape:

• {"matches": [{"toolName": "write_file", "keyword": "write_file", "source": "name"}]}

Take filesystem-mutation tools off the public surface, scope them to a fenced directory, or replace them with a content store that does not expose raw paths.

This rule belongs to the Tool surface risk dimension. What an agent could do if it trusted every advertised tool. Covers destructive actions, credential disclosure, code execution, filesystem mutation, PII handling, prompt-injection-shaped input fields, and injection-bearing tool descriptions — i.e. the agent-specific threat surface, not just generic verb risk.

Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.