Tool annotations are consistent with the surface

Requires a successful MCP `initialize` / `tools/list`. Skipped on perimeter-only scans where the server refused or failed the MCP handshake.

Tool annotations exist so a client (or a reviewing operator) can decide whether to allow a call without invoking it. A tool that lies — `readOnlyHint:true` on a `delete_record`, or `destructiveHint:false` on a tool whose name and schema say `purge` — defeats that contract. The MCP spec calls hints advisory, but explicit hints that contradict the surface are misdeclaration, not absence.

No tool combines `readOnlyHint:true` with `destructiveHint:true`; no tool with `readOnlyHint:true` is classified as destructive (delete/write/financial); no tool with `destructiveHint:false` is classified as destructive.

At least one tool's annotations contradict each other or contradict the scanner's classification of the tool's surface.

When the rule fails, the report records evidence in roughly this shape:

• {"hits": [{"toolName": "delete_record", "kind": "readonly_but_destructive_capability", "annotation": {"readOnlyHint": true}, "capabilityKind": "delete_data"}]}

Make tool annotations match the tool's actual surface. If `readOnlyHint:true`, the tool must not have a destructive verb in its name or schema. If a tool can delete, set `destructiveHint:true` and remove any `readOnlyHint:true` claim.

This rule belongs to the Tool surface risk dimension. What an agent could do if it trusted every advertised tool. Covers destructive actions, credential disclosure, code execution, filesystem mutation, PII handling, prompt-injection-shaped input fields, and injection-bearing tool descriptions — i.e. the agent-specific threat surface, not just generic verb risk.

Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.