No outbound-messaging tools in the public surface
Authored by Stanley Hong · AgentReserve (founder).
No advertised tool sends an outbound message on the operator's behalf (send_email, send_sms, post_message, broadcast, notify, …). Messaging tools enable spam, phishing and impersonation if exposed without scoped review.
When this rule runs
Requires a successful MCP `initialize` / `tools/list`. Skipped on perimeter-only scans where the server refused or failed the MCP handshake.
Why it matters
Outbound-messaging tools speak with the operator's identity. Exposed without scoped review, they enable spam, phishing and impersonation against third parties.
Pass condition
No tool advertises outbound messaging (send_email, send_sms, post_message, broadcast, notify, …).
Fail condition
At least one tool surfaces outbound-messaging vocabulary.
Evidence examples
When the rule fails, the report records evidence in roughly this shape:
{"matches": [{"toolName": "send_email", "keyword": "send_email", "source": "name"}]}
Remediation
Restrict messaging tools to authenticated callers, scope them to specific recipients or templates, and add per-call approval for anything that reaches outside the operator's domain.
Methodology
This rule belongs to the Tool surface risk dimension. What an agent could do if it trusted every advertised tool. Covers destructive actions, credential disclosure, code execution, filesystem mutation, PII handling, prompt-injection-shaped input fields, and injection-bearing tool descriptions — i.e. the agent-specific threat surface, not just generic verb risk.
Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.