No outbound network-access tools in the public surface
Authored by Stanley Hong · AgentReserve (founder).
No advertised tool offers generic outbound network access (fetch_url, http_request, curl, wget, download, upload, …). A public network-fetch tool turns the MCP server into an open proxy and a SSRF pivot for any agent that connects to it.
When this rule runs
Requires a successful MCP `initialize` / `tools/list`. Skipped on perimeter-only scans where the server refused or failed the MCP handshake.
Why it matters
Generic outbound fetch tools let any caller probe internal infrastructure through the server, exfiltrate data to attacker-controlled endpoints, and bypass network egress controls. Even when intentional, they belong behind authentication and an allow-list.
Pass condition
No tool advertises generic outbound network fetch (fetch_url, http_request, curl, wget, download, …).
Fail condition
At least one tool surfaces generic network-fetch vocabulary in its name, description, or schema.
Evidence examples
When the rule fails, the report records evidence in roughly this shape:
{"matches": [{"toolName": "fetch_url", "keyword": "fetch_url", "source": "name"}]}
Remediation
Replace generic fetch tools with purpose-scoped ones that hit specific upstreams under an allow-list. If an unrestricted fetch is intentional, expose it only behind authentication.
Methodology
This rule belongs to the Tool surface risk dimension. What an agent could do if it trusted every advertised tool. Covers destructive actions, credential disclosure, code execution, filesystem mutation, PII handling, prompt-injection-shaped input fields, and injection-bearing tool descriptions — i.e. the agent-specific threat surface, not just generic verb risk.
Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.