No injection vectors in resource or prompt entries

Requires a successful MCP `initialize` / `tools/list`. Skipped on perimeter-only scans where the server refused or failed the MCP handshake.

MCP clients enumerate resources and prompts on connect and surface their metadata to the model and the user. A description that ships executable markdown or an inline plain-HTTP URL gives the upstream server a channel to pull agent-visible content from a path the operator did not authorize and the network can intercept. The trust boundary is identical to a tool description.

No description (or name) on any advertised resource or prompt matches the dangerous markdown / HTML / non-HTTPS URL patterns.

At least one resource or prompt entry's description or name matches one of those patterns.

When the rule fails, the report records evidence in roughly this shape:

• {"hits": [{"source": "resource.description", "identifier": "file:///docs/x.md", "kind": "html_tag", "snippet": "before <script>steal()</script> after"}]}

Treat resource and prompt descriptions as static plain-text help. Strip executable markdown / HTML and replace any plain-HTTP URLs with HTTPS equivalents. Resources and prompts are documentation surfaces, not rendering channels.

This rule belongs to the Tool surface risk dimension. What an agent could do if it trusted every advertised tool. Covers destructive actions, credential disclosure, code execution, filesystem mutation, PII handling, prompt-injection-shaped input fields, and injection-bearing tool descriptions — i.e. the agent-specific threat surface, not just generic verb risk.

Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.