react-doctor/agent-tool-capability-risk

An AI agent tool that can reach shell, filesystem, or network primitives lets prompt-injected input trigger those actions, because the model treats tool arguments as trusted.

• Category: Security
• Severity: warn
• Source: oxlint-plugin-react-doctor
• Framework: global
• Enabled when: production source files (.js/.ts/.tsx) located under an agents/tools/mcp directory or with an agent/tool/mcp filename; tests/build/docs/generated paths skipped

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires only in a file whose path is under an agents/, tools/, or mcp/ directory (or whose filename contains agent/tool/mcp) that BOTH defines a tool — tool({, createTool(, defineTool(, or new DynamicTool(/new StructuredTool( — AND, anywhere in the same file (comments stripped first), references a dangerous-capability keyword: exec/execSync/spawn/child_process/eval/new Function/vm.run/readFile/writeFile/fs.read/fs.write/fetch/axios/http.request/sandbox/runCode/executeCode. FALSE POSITIVE to suppress: the dangerous keyword lives in unrelated code in the same file and is not actually wired into the tool's handler, or the tool already validates/allowlists its arguments and scopes the capability so prompt-injected input cannot reach the primitive. This is a file-level co-occurrence heuristic, not data-flow, so confirm the capability is reachable from tool input.

Fix prompt

Use this once validation confirms the diagnostic is real.

Treat every tool argument as attacker-controlled. Validate inputs against a strict schema and allowlist commands, paths, and hosts instead of passing free-form strings into exec/spawn/fs/fetch; never use shell: true or build shell commands by concatenation. Scope each capability to the minimum it needs (sandbox, read-only filesystem, egress allowlist), and prefer purpose-built operations over raw shell, filesystem, or network access.