AgentReserve
Rule catalog · Tool surface risk

Sampled resource contents contain no injection vectors

resource_contents_no_injectionmediumweight 5Post-handshake

Authored by Stanley Hong · AgentReserve (founder).

Up to three https resources advertised by `resources/list` are fetched via `resources/read` (capped at 8 KB each, fully redacted) and scanned for the same injection patterns the scanner applies to tool descriptions: dangerous markdown links (`[text](javascript:…)` / `data:`), executable HTML tags (`<script>`, `<iframe>`, `<svg>`, `<object>`, `<embed>`), and inline non-https URLs. Until tier-3-final the probe scanned only the `resources/list` metadata; this rule closes the gap that a server can publish clean metadata while the resource body itself carries an injection payload.

When this rule runs

Requires a successful MCP `initialize` / `tools/list`. Skipped on perimeter-only scans where the server refused or failed the MCP handshake.

Why it matters

MCP clients render resource content into the agent's context — the very point of `resources/read`. A malicious server can ship a benign `resources/list` entry whose body delivers `<script>` or a `javascript:` markdown link only when the client fetches it. Scanning the metadata alone misses this whole class of attack. The probe samples a small, capped slice (3 resources × 8 KB) to keep the overhead bounded while still catching the canonical patterns.

Pass condition

No sampled resource body matches the dangerous markdown / HTML / non-https URL patterns.

Fail condition

At least one sampled resource body matches one of those patterns.

Evidence examples

When the rule fails, the report records evidence in roughly this shape:

  • {"hits": [{"kind": "html_tag", "uri": "https://docs.example.com/x", "snippet": "<script>steal()</script>"}]}

Remediation

Treat resource contents as static text the agent will read verbatim. Strip executable markdown / HTML, replace plain-http inline URLs with https equivalents, and avoid serving rendered HTML through resources at all — clients are agents, not browsers.

Methodology

This rule belongs to the Tool surface risk dimension. What an agent could do if it trusted every advertised tool. Covers destructive actions, credential disclosure, code execution, filesystem mutation, PII handling, prompt-injection-shaped input fields, and injection-bearing tool descriptions — i.e. the agent-specific threat surface, not just generic verb risk.

Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.

← Back to rule catalog