No financial-action tools in the public surface
Authored by Stanley Hong · AgentReserve (founder).
No advertised tool performs a financial action (pay, charge, refund, transfer, withdraw, invoice, …). Tools that move money should be explicitly authorized and reviewed individually.
When this rule runs
Requires a successful MCP `initialize` / `tools/list`. Skipped on perimeter-only scans where the server refused or failed the MCP handshake.
Why it matters
Tools that move money should be authorized and reviewed individually. Surfacing them on a default `tools/list` lets an agent — or anyone with network access to the server — initiate transfers without operator intent.
Pass condition
No tool advertises financial actions (pay, charge, refund, transfer, withdraw, invoice, …).
Fail condition
At least one tool surfaces financial-action vocabulary.
Evidence examples
When the rule fails, the report records evidence in roughly this shape:
{"matches": [{"toolName": "transfer_funds", "keyword": "transfer", "source": "name"}]}
Remediation
Gate financial actions behind explicit per-call authorization, idempotency keys, and an operator-side audit log; do not expose them anonymously.
Methodology
This rule belongs to the Tool surface risk dimension. What an agent could do if it trusted every advertised tool. Covers destructive actions, credential disclosure, code execution, filesystem mutation, PII handling, prompt-injection-shaped input fields, and injection-bearing tool descriptions — i.e. the agent-specific threat surface, not just generic verb risk.
Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.