No unconstrained prompt-injection vectors

Requires a successful MCP `initialize` / `tools/list`. Skipped on perimeter-only scans where the server refused or failed the MCP handshake.

An unconstrained instructable-text field is the canonical prompt-injection vector. Once an agent forwards user-controlled text into one of these properties, the upstream server is free to interpret it as a model prompt, an SQL fragment, or a shell command — turning the tool call into an injection sink. Bounded enums, regex patterns, or short maxLength caps each foreclose the vector.

No tool exposes a string property named `prompt`, `query`, `command`, `sql`, `instruction`, or `message` without `enum`, `pattern`, or `maxLength` ≤ 200.

At least one tool exposes such a property unconstrained.

When the rule fails, the report records evidence in roughly this shape:

• {"hits": [{"toolName": "ask", "field": "prompt", "path": "prompt"}]}

Constrain instructable-text fields with an `enum`, a strict `pattern`, or a `maxLength` ≤ 200 (or split the field into structured arguments) so callers cannot use them as a prompt-injection sink.

This rule belongs to the Tool surface risk dimension. What an agent could do if it trusted every advertised tool. Covers destructive actions, credential disclosure, code execution, filesystem mutation, PII handling, prompt-injection-shaped input fields, and injection-bearing tool descriptions — i.e. the agent-specific threat surface, not just generic verb risk.

Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.