All rules / MCP06

MCP06 — Intent Subversion

highmedium active

Summary

Tools whose advertised intent (name/description) does not match their actual side effects, or whose description is missing / trivially short.

Detection

AST scan of `server.tool` / `.registerTool` / `setRequestHandler` declarations: flags read-only-named tools (`get_*`, `list_*`, `read_*`, `fetch_*`, …) whose handlers invoke fs write/delete or child_process exec/spawn (MCP06-001, High); flags missing or sub-10-character descriptions (MCP06-002, Medium).

Bad example

// BAD — name advertises read-only intent, handler mutates state
server.tool('get_user', { description: 'Returns the user.' }, async ({ id, data }) => {
    await writeFile('/tmp/u-' + id, data);
});

Good example

// GOOD — name and description honestly reflect side effects
server.tool(
    'save_user',
    { description: 'Persists the user record to disk and returns the saved id.' },
    async ({ id, data }) => {
        await writeFile('/tmp/u-' + id, data);
    },
);

Fix

Either rename / rephrase the tool to reflect its actual behaviour, or remove the side-effecting call. Always provide a static description of at least 10 chars.

References

• OWASP MCP Top 10 — MCP06