AR001_UNBOUNDED_WRITE_ACTIONUnbounded write action |
OpenAPI and MCP where current findings apply |
high |
A write, money movement, or externally visible action lacks bounded parameters. |
An amount, limit, quantity, price, discount, duration or similar field is accepted without a documented bound. |
Add minimum and maximum values, currency or unit constraints, closed sets and business limits. |
Current coverage follows implemented findings; it does not infer every dynamic business limit. |
AR002_MISSING_CONFIRMATION_BOUNDARYMissing confirmation boundary |
OpenAPI and MCP |
critical |
A dangerous action lacks a documented human confirmation boundary. |
A dangerous action such as refund, pay, transfer, delete, send, export or cancel lacks preview, confirmation and verification guidance. |
Document preview, explicit human confirmation, execution and post-action verification. |
The scanner checks contract text and schema; it does not observe a live approval workflow. |
AR003_DESTRUCTIVE_OPERATION_AMBIGUOUSDestructive operation ambiguous |
MCP in current implementation |
high |
A destructive or risky action is not described clearly enough for agent use. |
An MCP tool appears dangerous but its description does not explain the irreversible or external effect. |
Use precise descriptions that name the risky effect, target, confirmation and allowed use. |
Current public coverage is strongest for MCP dangerous-tool descriptions. |
AR004_BULK_ACTION_WITHOUT_LIMITBulk action without limit |
OpenAPI and MCP where response structure is analyzable |
medium |
A collection, bulk, or large response operation lacks limits or structure. |
A list, export, bulk or collection response lacks pagination, size bounds or structured output. |
Add pagination, maximum limits, filters and response schemas designed for agent consumption. |
Runtime volume, permissions and tenant data are outside static detection. |
AR005_SENSITIVE_DATA_EXPOSURESensitive data exposure |
OpenAPI and MCP |
high |
The tool may expose personal, financial, authentication or customer data. |
A contract exposes data classes that require least-privilege, redaction, pagination or boundary documentation. |
Document permission scope, redaction, pagination, data minimization and safe use boundaries. |
This is not a data protection audit or legal privacy certification. |
AR006_MISSING_DRY_RUN_OR_PREVIEWMissing dry run or preview |
OpenAPI and MCP |
high or medium by finding |
A state-changing action lacks preview, success verification, or an equivalent safe check. |
A state-changing or irreversible operation lacks an explicit preview, dry run, idempotent check or verification path. |
Add preview endpoints, confirmation steps, post-action verification and clear success criteria. |
The scanner cannot prove that the runtime truly enforces the preview. |
AR007_OVERBROAD_TOOL_SCOPEOverbroad tool scope |
OpenAPI and MCP |
high or medium by finding |
The tool scope or permission boundary is broader than an agent should receive. |
A tool exposes broad permissions, confusing context or capabilities beyond the task an agent needs. |
Separate narrow tools, document scopes, reduce permissions and make context boundaries explicit. |
Static analysis cannot inspect actual IAM grants or live authorization policy. |
AR008_MISSING_IDEMPOTENCY_OR_ROLLBACKMissing idempotency or rollback |
OpenAPI and MCP where current findings apply |
medium |
The tool does not document corrective errors, retries, rollback or recovery behavior. |
Errors, retries or recovery behavior do not help an agent correct or safely retry a call. |
Document corrective errors, conflict handling, idempotency keys, retry guidance and recovery steps. |
Current public wording is broader than some implemented heuristics; treat as a contract-readiness signal. |
AR009_UNCLEAR_AGENT_INSTRUCTIONSUnclear agent instructions |
OpenAPI and MCP |
medium |
The tool name, description, action type or usage instructions are unclear for agents. |
An operation or MCP tool is vague, missing usage boundaries or lacks output shape needed by an agent. |
Use stable names, business-context descriptions, when-to-use and when-not-to-use guidance, and output schemas. |
A clear contract can still be misused by a poorly controlled agent runtime. |
AR010_MISSING_RATE_OR_SCOPE_LIMITMissing rate or scope limit |
OpenAPI and MCP |
medium or high by finding |
The tool contract lacks required fields, closed sets, schema constraints or scope limits. |
Input is too open, required fields are missing, or closed-set values are not encoded in schema. |
Add required fields, enums, structured input schemas, scoped parameters and explicit limits. |
This does not inspect live rate-limit enforcement unless it is expressed in the contract. |