MCP Server Security & Performance Analysis — v0.3.0
| Test ID | Severity | Test Name | Description / Details | Duration |
|---|---|---|---|---|
| SECURITY · 341 tests | ||||
| T04-001 | MEDIUM | Rug Pull Detection (Mutation Check) |
1 tool description(s) grew between two consecutive list_tools() calls (3 s apart). Descriptions only extended — likely C…Tool 'query_worker_observability' description CHANGED at char 1000:
Length: 1001 → 1603 chars (grew)
BEFORE[920:1001]: 'ore applying filters, use the observability_keys and observability_values tools …'
AFTER [920:1160]: 'ore applying filters, use the observability_keys and observability_values tools to confirm available filter fields and the correct filter value to add unless you have the data in a response from a previous query.\n- Common filter fields: $m'
Remediation:
Tool descriptions should be fully materialized at startup. If descriptions grow between calls, clients may make tool-use decisions based on incomplete instructions. Ensure list_tools() always returns the full, stable description. |
3772ms |
| T04-003 | LOW | Cross-Tool Reference Detection |
Found 4 cross-tool reference(s) in tool descriptions — server uses chained workflow guidance. Verify no sensitive data i… Tool 'workers_list' description references 'workers_get_worker'
Tool 'query_worker_observability' description references 'observability_keys'
Tool 'query_worker_observability' description references 'observability_values'
Tool 'observability_values' description references 'observability_keys'
Remediation:
Cross-tool references in descriptions are common in multi-step APIs and are not inherently malicious. Review each reference to confirm it describes legitimate workflow guidance (e.g. 'call tool X first to discover available values') rather than parasitic data exfiltration (e.g. 'silently forward results to tool Y'). Tool descriptions must describe only the tool's own behaviour. References to other tool names in a description can trick LLMs into invoking them as a silent side-effect, creating an unaudited tool chain. |
1ms |
| T24-001 | LOW | Deserialisation — Summary | 1 tool(s) leaked deserialiser markers in error messages. | 41758ms |
| T24-TOOL-search_cloudflare_do-DS-005 | LOW | Deserialisation DS-005 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' error suggests XML parser is being invoked on user input. No confirmed RCE — revi…Match: 'DTD'
|
2463ms |
| T09-TOOL-observability_keys | INFO | Output Sanitization → observability_keys |
Tool 'observability_keys' rejected probe (auth or param requirements).MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
|
867ms |
| T09-TOOL-observability_values | INFO | Output Sanitization → observability_values |
Tool 'observability_values' rejected probe (auth or param requirements).MCP error -32602: Invalid arguments for tool observability_values: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"valuesQuery",
"key"
],
"message": "Required"
},
{
"expected": "'string' | 'boolean' | 'number'",
|
1091ms |
| T09-TOOL-query_worker_observability | INFO | Output Sanitization → query_worker_observability |
Tool 'query_worker_observability' rejected probe (auth or param requirements).MCP error -32602: Invalid arguments for tool query_worker_observability: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"query",
"queryId"
],
"message": "Required"
},
{
"code": "invalid_type",
"expected": "object
|
912ms |
| T13-002 | INFO | Unsolicited Sampling Requests | MCP client SDK does not expose an incoming-request hook; unsolicited sampling detection relies on capability audit (T13-001). | 4780ms |
| T17-002 | INFO | Description Fingerprint Inventory |
Catalogued 10 SHA-256 description fingerprints. Use `mcpsafe compare` to detect drift across scans.tool:accounts_list = 5b092e5b13d398591a90b88732d161edee087e873329800d526898fcc97efc55
tool:workers_list = 40b94ea10490da2fe37812d2af477258fd99d33f932476d55c2e5ed9986a176b
tool:workers_get_worker = 5a3d286bf48d31d954354e821dd297ee5eb7d691b2931a4ee07192888a364f1b
tool:workers_get_worker_code = 8ac90fec2b98bbabab81fec21c60ec50077c558cec980da4555f8767bf3a904f
tool:query_worker_observability = 7af12e09a11ef1ce58e4082b1c5032adccce4c4e84246cb97e3978afcfe0c706
tool:observability_keys = 083d0de606c7edc1b5296e776713eeea85cfd623459e3c4cf109b622507fc235
tool:observability_values = 6f7716f7694ef1b9dc4c8be5b03b8e74158dd2f6228b572a280bcc7448155ea1
tool:search_cloudflare_documentation = fb5bf70a271f9ccaf9062c13f058b203e21fe88ee413284e495d9035eb2c7513
tool:migrate_pages_to_workers_guide = fc1b50a88c58bc18d7add334587e6d1624d0b88357cd88486ea9bd6f1be37808
prompt:workers-prompt-full = 07abf707ebcefee88382f79d897d6044c2bbd61df9689f3592e599d9154c42b3
|
0ms |
| T18-001 | INFO | SSRF — Summary | Server does not expose resources/read; SSRF probes skipped. | 0ms |
| T25-001 | INFO | IDOR — Summary | Server does not expose resources — IDOR probe skipped. | 0ms |
| T27-001 | INFO | Session Token Reuse After Close | Could not extract the session identifier from SDK internals — reuse-after-close check could not be performed. | 7682ms |
| T27-002 | INFO | Session Token Entropy | No session token exposed by SDK — entropy check skipped. | 0ms |
| T27-003 | INFO | Session Token Leak in Response | No session token exposed by SDK — leak check skipped. | 0ms |
| T30-001 | INFO | OAuth AS Discovery | Server does not expose .well-known/oauth-authorization-server (status 404). OAuth flow tests will be skipped. | 1214ms |
| T02-search_cloudflare_documentation-PI-001 | PASS | Injection PI-001 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-001 (Classic override) gracefully.Response excerpt: '<result>\n<url>https://developers.cloudflare.com/https://developers.cloudflare.com/waf/detections/ai-security-for-apps/prompt-injection/</url>\n<title></title>\n<text>\n### Why a score instead of a boolea'
|
3120ms |
| T02-search_cloudflare_documentation-PI-002 | PASS | Injection PI-002 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-002 (Newline injection) gracefully.Response excerpt: '<result>\n<url>https://developers.cloudflare.com/https://developers.cloudflare.com/ai-search/configuration/system-prompt/</url>\n<title></title>\n<text>\n# System prompt\n\nSystem prompts allow you to guide'
|
2091ms |
| T02-search_cloudflare_documentation-PI-003 | PASS | Injection PI-003 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-003 (XML tag injection) gracefully.Response excerpt: ''
|
2131ms |
| T02-search_cloudflare_documentation-PI-004 | PASS | Injection PI-004 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-004 (SQL injection probe) gracefully.Response excerpt: ''
|
2507ms |
| T02-search_cloudflare_documentation-PI-005 | PASS | Injection PI-005 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-005 (Shell injection) gracefully.Response excerpt: '<result>\n<url>https://developers.cloudflare.com/https://developers.cloudflare.com/workers/wrangler/commands/general/</url>\n<title></title>\n<text>\n## `auth`\n\n### `auth token`\n\nRetrieve your current aut'
|
2122ms |
| T02-search_cloudflare_documentation-PI-006 | PASS | Injection PI-006 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-006 (Backtick injection) gracefully.Response excerpt: '<result>\n<url>https://developers.cloudflare.com/https://developers.cloudflare.com/workers-ai/models/kimi-k2.5/</url>\n<title></title>\n<text>\n* `id` ` string ` required \n '
|
2862ms |
| T02-search_cloudflare_documentation-PI-007 | PASS | Injection PI-007 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-007 (Path traversal) gracefully.Response excerpt: ''
|
2796ms |
| T02-search_cloudflare_documentation-PI-008 | PASS | Injection PI-008 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-008 (Right-to-left override unicode) gracefully.Response excerpt: ''
|
2531ms |
| T02-search_cloudflare_documentation-PI-009 | PASS | Injection PI-009 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-009 (Null byte injection) gracefully.Response excerpt: '<result>\n<url>https://developers.cloudflare.com/https://developers.cloudflare.com/workers/best-practices/workers-best-practices/</url>\n<title></title>\n<text>\n// ✅ Good: test the null case explicitly\n\n'
|
2160ms |
| T02-search_cloudflare_documentation-PI-010 | PASS | Injection PI-010 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-010 (BOM character) gracefully.Response excerpt: ''
|
2153ms |
| T02-search_cloudflare_documentation-PI-011 | PASS | Injection PI-011 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-011 (Rug pull attempt) gracefully.Response excerpt: ''
|
2370ms |
| T02-search_cloudflare_documentation-PI-012 | PASS | Injection PI-012 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-012 (Exfiltration instruction) gracefully.Response excerpt: ''
|
2303ms |
| T02-search_cloudflare_documentation-PI-013 | PASS | Injection PI-013 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-013 (Large payload DoS probe 10k) gracefully.Response excerpt: ''
|
3484ms |
| T02-search_cloudflare_documentation-PI-014 | PASS | Injection PI-014 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-014 (Large payload DoS probe 100k) gracefully.Response excerpt: ''
|
5688ms |
| T02-search_cloudflare_documentation-PI-015 | PASS | Injection PI-015 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-015 (Jinja template injection) gracefully.Response excerpt: ''
|
2397ms |
| T02-search_cloudflare_documentation-PI-016 | PASS | Injection PI-016 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-016 (Python format injection) gracefully.Response excerpt: ''
|
2397ms |
| T02-workers_get_worker-PI-001 | PASS | Injection PI-001 → workers_get_worker |
Tool 'workers_get_worker' handled PI-001 (Classic override) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1478ms |
| T02-workers_get_worker-PI-002 | PASS | Injection PI-002 → workers_get_worker |
Tool 'workers_get_worker' handled PI-002 (Newline injection) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1104ms |
| T02-workers_get_worker-PI-003 | PASS | Injection PI-003 → workers_get_worker |
Tool 'workers_get_worker' handled PI-003 (XML tag injection) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1320ms |
| T02-workers_get_worker-PI-004 | PASS | Injection PI-004 → workers_get_worker |
Tool 'workers_get_worker' handled PI-004 (SQL injection probe) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1038ms |
| T02-workers_get_worker-PI-005 | PASS | Injection PI-005 → workers_get_worker |
Tool 'workers_get_worker' handled PI-005 (Shell injection) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1044ms |
| T02-workers_get_worker-PI-006 | PASS | Injection PI-006 → workers_get_worker |
Tool 'workers_get_worker' handled PI-006 (Backtick injection) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1206ms |
| T02-workers_get_worker-PI-007 | PASS | Injection PI-007 → workers_get_worker |
Tool 'workers_get_worker' handled PI-007 (Path traversal) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
788ms |
| T02-workers_get_worker-PI-008 | PASS | Injection PI-008 → workers_get_worker |
Tool 'workers_get_worker' handled PI-008 (Right-to-left override unicode) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1035ms |
| T02-workers_get_worker-PI-009 | PASS | Injection PI-009 → workers_get_worker |
Tool 'workers_get_worker' handled PI-009 (Null byte injection) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
919ms |
| T02-workers_get_worker-PI-010 | PASS | Injection PI-010 → workers_get_worker |
Tool 'workers_get_worker' handled PI-010 (BOM character) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1797ms |
| T02-workers_get_worker-PI-011 | PASS | Injection PI-011 → workers_get_worker |
Tool 'workers_get_worker' handled PI-011 (Rug pull attempt) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1067ms |
| T02-workers_get_worker-PI-012 | PASS | Injection PI-012 → workers_get_worker |
Tool 'workers_get_worker' handled PI-012 (Exfiltration instruction) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
996ms |
| T02-workers_get_worker-PI-013 | PASS | Injection PI-013 → workers_get_worker |
Tool 'workers_get_worker' handled PI-013 (Large payload DoS probe 10k) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1354ms |
| T02-workers_get_worker-PI-014 | PASS | Injection PI-014 → workers_get_worker |
Tool 'workers_get_worker' handled PI-014 (Large payload DoS probe 100k) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1092ms |
| T02-workers_get_worker-PI-015 | PASS | Injection PI-015 → workers_get_worker |
Tool 'workers_get_worker' handled PI-015 (Jinja template injection) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1041ms |
| T02-workers_get_worker-PI-016 | PASS | Injection PI-016 → workers_get_worker |
Tool 'workers_get_worker' handled PI-016 (Python format injection) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
957ms |
| T02-workers_get_worker_code-PI-001 | PASS | Injection PI-001 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-001 (Classic override) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
1053ms |
| T02-workers_get_worker_code-PI-002 | PASS | Injection PI-002 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-002 (Newline injection) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
1388ms |
| T02-workers_get_worker_code-PI-003 | PASS | Injection PI-003 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-003 (XML tag injection) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
984ms |
| T02-workers_get_worker_code-PI-004 | PASS | Injection PI-004 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-004 (SQL injection probe) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
1176ms |
| T02-workers_get_worker_code-PI-005 | PASS | Injection PI-005 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-005 (Shell injection) gracefully.Response excerpt: 'Error retrieving worker script: 403 <!DOCTYPE html>\n<!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->\n<!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--'
|
688ms |
| T02-workers_get_worker_code-PI-006 | PASS | Injection PI-006 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-006 (Backtick injection) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
1072ms |
| T02-workers_get_worker_code-PI-007 | PASS | Injection PI-007 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-007 (Path traversal) gracefully.Response excerpt: 'Error retrieving worker script: 404 {"result":null,"success":false,"errors":[{"code":7003,"message":"Could not route to /client/v4/accounts/etc/passwd, perhaps your object identifier is invalid?"}],"m'
|
809ms |
| T02-workers_get_worker_code-PI-008 | PASS | Injection PI-008 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-008 (Right-to-left override unicode) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
1553ms |
| T02-workers_get_worker_code-PI-009 | PASS | Injection PI-009 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-009 (Null byte injection) gracefully.Response excerpt: 'Error retrieving worker script: 400 <html>\r\n<head><title>400 Bad Request</title></head>\r\n<body>\r\n<center><h1>400 Bad Request</h1></center>\r\n<hr><center>cloudflare</center>\r\n</body>\r\n</html>\r\n'
|
867ms |
| T02-workers_get_worker_code-PI-010 | PASS | Injection PI-010 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-010 (BOM character) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
2242ms |
| T02-workers_get_worker_code-PI-011 | PASS | Injection PI-011 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-011 (Rug pull attempt) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
1685ms |
| T02-workers_get_worker_code-PI-012 | PASS | Injection PI-012 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-012 (Exfiltration instruction) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
1120ms |
| T02-workers_get_worker_code-PI-013 | PASS | Injection PI-013 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-013 (Large payload DoS probe 10k) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
1231ms |
| T02-workers_get_worker_code-PI-014 | PASS | Injection PI-014 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-014 (Large payload DoS probe 100k) gracefully.Response excerpt: 'Error retrieving worker script: 400 error code: 1036'
|
1864ms |
| T02-workers_get_worker_code-PI-015 | PASS | Injection PI-015 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-015 (Jinja template injection) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
1192ms |
| T02-workers_get_worker_code-PI-016 | PASS | Injection PI-016 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-016 (Python format injection) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
1307ms |
| T03-03-scriptname-FUZZ-STR-001 | PASS | Fuzz FUZZ-STR-001 → workers_get_worker.scriptName |
Tool 'workers_get_worker' handled FUZZ-STR-001 (empty string) on param 'scriptName' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='Error retrieving worker script: Cloudflare API request failed', annotations=None, meta=None)] structuredContent=None isError=False"
|
1676ms |
| T03-03-scriptname-FUZZ-STR-002 | PASS | Fuzz FUZZ-STR-002 → workers_get_worker.scriptName |
Tool 'workers_get_worker' handled FUZZ-STR-002 (single space) on param 'scriptName' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='Error retrieving worker script: Cloudflare API request failed', annotations=None, meta=None)] structuredContent=None isError=False"
|
1055ms |
| T03-03-scriptname-FUZZ-STR-003 | PASS | Fuzz FUZZ-STR-003 → workers_get_worker.scriptName |
Tool 'workers_get_worker' handled FUZZ-STR-003 (whitespace only) on param 'scriptName' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='Error retrieving worker script: Cloudflare API request failed', annotations=None, meta=None)] structuredContent=None isError=False"
|
1168ms |
| T03-03-scriptname-FUZZ-STR-004 | PASS | Fuzz FUZZ-STR-004 → workers_get_worker.scriptName |
Tool 'workers_get_worker' returned a structured error for FUZZ-STR-004 (null value) on param 'scriptName' — handled grac…McpError: MCP error -32602: Invalid arguments for tool workers_get_worker: [
{
"code": "invalid_type",
"expected": "string",
"received": "null",
"path": [
"scriptName"
],
"message": "Expected string, received null"
}
]
|
884ms |
| T03-03-scriptname-FUZZ-STR-005 | PASS | Fuzz FUZZ-STR-005 → workers_get_worker.scriptName |
Tool 'workers_get_worker' returned a structured error for FUZZ-STR-005 (integer as string field) on param 'scriptName' —…McpError: MCP error -32602: Invalid arguments for tool workers_get_worker: [
{
"code": "invalid_type",
"expected": "string",
"received": "number",
"path": [
"scriptName"
],
"message": "Expected string, received number"
}
]
|
715ms |
| T03-03-scriptname-FUZZ-STR-006 | PASS | Fuzz FUZZ-STR-006 → workers_get_worker.scriptName |
Tool 'workers_get_worker' returned a structured error for FUZZ-STR-006 (boolean as string field) on param 'scriptName' —…McpError: MCP error -32602: Invalid arguments for tool workers_get_worker: [
{
"code": "invalid_type",
"expected": "string",
"received": "boolean",
"path": [
"scriptName"
],
"message": "Expected string, received boolean"
}
]
|
807ms |
| T03-03-scriptname-FUZZ-STR-007 | PASS | Fuzz FUZZ-STR-007 → workers_get_worker.scriptName |
Tool 'workers_get_worker' returned a structured error for FUZZ-STR-007 (list as string field) on param 'scriptName' — ha…McpError: MCP error -32602: Invalid arguments for tool workers_get_worker: [
{
"code": "invalid_type",
"expected": "string",
"received": "array",
"path": [
"scriptName"
],
"message": "Expected string, received array"
}
]
|
887ms |
| T03-03-scriptname-FUZZ-STR-008 | PASS | Fuzz FUZZ-STR-008 → workers_get_worker.scriptName |
Tool 'workers_get_worker' returned a structured error for FUZZ-STR-008 (dict as string field) on param 'scriptName' — ha…McpError: MCP error -32602: Invalid arguments for tool workers_get_worker: [
{
"code": "invalid_type",
"expected": "string",
"received": "object",
"path": [
"scriptName"
],
"message": "Expected string, received object"
}
]
|
1037ms |
| T03-03-scriptname-FUZZ-STR-009 | PASS | Fuzz FUZZ-STR-009 → workers_get_worker.scriptName |
Tool 'workers_get_worker' handled FUZZ-STR-009 (very long string 10k) on param 'scriptName' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='Error retrieving worker script: Cloudflare API request failed', annotations=None, meta=None)] structuredContent=None isError=False"
|
1097ms |
| T03-03-scriptname-FUZZ-STR-010 | PASS | Fuzz FUZZ-STR-010 → workers_get_worker.scriptName |
Tool 'workers_get_worker' handled FUZZ-STR-010 (newlines and tabs) on param 'scriptName' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='Error retrieving worker script: Cloudflare API request failed', annotations=None, meta=None)] structuredContent=None isError=False"
|
980ms |
| T03-03-scriptname-FUZZ-STR-011 | PASS | Fuzz FUZZ-STR-011 → workers_get_worker.scriptName |
Tool 'workers_get_worker' handled FUZZ-STR-011 (null byte in string) on param 'scriptName' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='Error retrieving worker script: Cloudflare API request failed', annotations=None, meta=None)] structuredContent=None isError=False"
|
910ms |
| T03-03-scriptname-FUZZ-STR-012 | PASS | Fuzz FUZZ-STR-012 → workers_get_worker.scriptName |
Tool 'workers_get_worker' handled FUZZ-STR-012 (all unicode planes) on param 'scriptName' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='Error retrieving worker script: Cloudflare API request failed', annotations=None, meta=None)] structuredContent=None isError=False"
|
706ms |
| T03-04-scriptname-FUZZ-STR-001 | PASS | Fuzz FUZZ-STR-001 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' handled FUZZ-STR-001 (empty string) on param 'scriptName' correctly.Response excerpt: 'meta=None content=[TextContent(type=\'text\', text=\'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}\', annotat'
|
913ms |
| T03-04-scriptname-FUZZ-STR-002 | PASS | Fuzz FUZZ-STR-002 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' handled FUZZ-STR-002 (single space) on param 'scriptName' correctly.Response excerpt: 'meta=None content=[TextContent(type=\'text\', text=\'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}\', annotat'
|
1245ms |
| T03-04-scriptname-FUZZ-STR-003 | PASS | Fuzz FUZZ-STR-003 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' handled FUZZ-STR-003 (whitespace only) on param 'scriptName' correctly.Response excerpt: 'meta=None content=[TextContent(type=\'text\', text=\'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}\', annotat'
|
1140ms |
| T03-04-scriptname-FUZZ-STR-004 | PASS | Fuzz FUZZ-STR-004 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' returned a structured error for FUZZ-STR-004 (null value) on param 'scriptName' — handled…McpError: MCP error -32602: Invalid arguments for tool workers_get_worker_code: [
{
"code": "invalid_type",
"expected": "string",
"received": "null",
"path": [
"scriptName"
],
"message": "Expected string, received null"
}
]
|
710ms |
| T03-04-scriptname-FUZZ-STR-005 | PASS | Fuzz FUZZ-STR-005 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' returned a structured error for FUZZ-STR-005 (integer as string field) on param 'scriptNa…McpError: MCP error -32602: Invalid arguments for tool workers_get_worker_code: [
{
"code": "invalid_type",
"expected": "string",
"received": "number",
"path": [
"scriptName"
],
"message": "Expected string, received number"
}
]
|
850ms |
| T03-04-scriptname-FUZZ-STR-006 | PASS | Fuzz FUZZ-STR-006 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' returned a structured error for FUZZ-STR-006 (boolean as string field) on param 'scriptNa…McpError: MCP error -32602: Invalid arguments for tool workers_get_worker_code: [
{
"code": "invalid_type",
"expected": "string",
"received": "boolean",
"path": [
"scriptName"
],
"message": "Expected string, received boolean"
}
]
|
882ms |
| T03-04-scriptname-FUZZ-STR-007 | PASS | Fuzz FUZZ-STR-007 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' returned a structured error for FUZZ-STR-007 (list as string field) on param 'scriptName'…McpError: MCP error -32602: Invalid arguments for tool workers_get_worker_code: [
{
"code": "invalid_type",
"expected": "string",
"received": "array",
"path": [
"scriptName"
],
"message": "Expected string, received array"
}
]
|
1153ms |
| T03-04-scriptname-FUZZ-STR-008 | PASS | Fuzz FUZZ-STR-008 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' returned a structured error for FUZZ-STR-008 (dict as string field) on param 'scriptName'…McpError: MCP error -32602: Invalid arguments for tool workers_get_worker_code: [
{
"code": "invalid_type",
"expected": "string",
"received": "object",
"path": [
"scriptName"
],
"message": "Expected string, received object"
}
]
|
850ms |
| T03-04-scriptname-FUZZ-STR-009 | PASS | Fuzz FUZZ-STR-009 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' handled FUZZ-STR-009 (very long string 10k) on param 'scriptName' correctly.Response excerpt: 'meta=None content=[TextContent(type=\'text\', text=\'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}\', annotat'
|
1426ms |
| T03-04-scriptname-FUZZ-STR-010 | PASS | Fuzz FUZZ-STR-010 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' handled FUZZ-STR-010 (newlines and tabs) on param 'scriptName' correctly.Response excerpt: 'meta=None content=[TextContent(type=\'text\', text=\'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}\', annotat'
|
1279ms |
| T03-04-scriptname-FUZZ-STR-011 | PASS | Fuzz FUZZ-STR-011 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' handled FUZZ-STR-011 (null byte in string) on param 'scriptName' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='Error retrieving worker script: 400 <html>\\r\\n<head><title>400 Bad Request</title></head>\\r\\n<body>\\r\\n<center><h1>400 Bad Request</h1></center>\\r\\n<h"
|
1190ms |
| T03-04-scriptname-FUZZ-STR-012 | PASS | Fuzz FUZZ-STR-012 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' handled FUZZ-STR-012 (all unicode planes) on param 'scriptName' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='Error retrieving worker script: 400 <html>\\r\\n<head><title>400 Bad Request</title></head>\\r\\n<body>\\r\\n<center><h1>400 Bad Request</h1></center>\\r\\n<h"
|
1116ms |
| T03-05-query-FUZZ-OBJ-001 | PASS | Fuzz FUZZ-OBJ-001 → query_worker_observability.query |
Tool 'query_worker_observability' returned a structured error for FUZZ-OBJ-001 (null as object) on param 'query' — handl…McpError: MCP error -32602: Invalid arguments for tool query_worker_observability: [
{
"code": "invalid_type",
"expected": "object",
"received": "null",
"path": [
"query"
],
"message": "Expected object, received null"
}
]
|
879ms |
| T03-05-query-FUZZ-OBJ-002 | PASS | Fuzz FUZZ-OBJ-002 → query_worker_observability.query |
Tool 'query_worker_observability' returned a structured error for FUZZ-OBJ-002 (list as object) on param 'query' — handl…McpError: MCP error -32602: Invalid arguments for tool query_worker_observability: [
{
"code": "invalid_type",
"expected": "object",
"received": "array",
"path": [
"query"
],
"message": "Expected object, received array"
}
]
|
833ms |
| T03-05-query-FUZZ-OBJ-003 | PASS | Fuzz FUZZ-OBJ-003 → query_worker_observability.query |
Tool 'query_worker_observability' returned a structured error for FUZZ-OBJ-003 (string as object) on param 'query' — han…McpError: MCP error -32602: Invalid arguments for tool query_worker_observability: [
{
"code": "invalid_type",
"expected": "object",
"received": "string",
"path": [
"query"
],
"message": "Expected object, received string"
}
]
|
803ms |
| T03-05-query-FUZZ-OBJ-004 | PASS | Fuzz FUZZ-OBJ-004 → query_worker_observability.query |
Tool 'query_worker_observability' returned a structured error for FUZZ-OBJ-004 (empty object) on param 'query' — handled…McpError: MCP error -32602: Invalid arguments for tool query_worker_observability: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"query",
"queryId"
],
"message": "Required"
},
{
"code": "invalid_type",
"expected": "object
|
868ms |
| T03-05-query-FUZZ-OBJ-005 | PASS | Fuzz FUZZ-OBJ-005 → query_worker_observability.query |
Tool 'query_worker_observability' returned a structured error for FUZZ-OBJ-005 (prototype pollution) on param 'query' — …McpError: MCP error -32602: Invalid arguments for tool query_worker_observability: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"query",
"queryId"
],
"message": "Required"
},
{
"code": "invalid_type",
"expected": "object
|
750ms |
| T03-05-query-FUZZ-OBJ-006 | PASS | Fuzz FUZZ-OBJ-006 → query_worker_observability.query |
Tool 'query_worker_observability' returned a structured error for FUZZ-OBJ-006 (deeply nested object) on param 'query' —…McpError: MCP error -32602: Invalid arguments for tool query_worker_observability: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"query",
"queryId"
],
"message": "Required"
},
{
"code": "invalid_type",
"expected": "object
|
1376ms |
| T03-06-keysquery-FUZZ-OBJ-001 | PASS | Fuzz FUZZ-OBJ-001 → observability_keys.keysQuery |
Tool 'observability_keys' returned a structured error for FUZZ-OBJ-001 (null as object) on param 'keysQuery' — handled g…McpError: MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_type",
"expected": "object",
"received": "null",
"path": [
"keysQuery"
],
"message": "Expected object, received null"
}
]
|
923ms |
| T03-06-keysquery-FUZZ-OBJ-002 | PASS | Fuzz FUZZ-OBJ-002 → observability_keys.keysQuery |
Tool 'observability_keys' returned a structured error for FUZZ-OBJ-002 (list as object) on param 'keysQuery' — handled g…McpError: MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_type",
"expected": "object",
"received": "array",
"path": [
"keysQuery"
],
"message": "Expected object, received array"
}
]
|
726ms |
| T03-06-keysquery-FUZZ-OBJ-003 | PASS | Fuzz FUZZ-OBJ-003 → observability_keys.keysQuery |
Tool 'observability_keys' returned a structured error for FUZZ-OBJ-003 (string as object) on param 'keysQuery' — handled…McpError: MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_type",
"expected": "object",
"received": "string",
"path": [
"keysQuery"
],
"message": "Expected object, received string"
}
]
|
1042ms |
| T03-06-keysquery-FUZZ-OBJ-004 | PASS | Fuzz FUZZ-OBJ-004 → observability_keys.keysQuery |
Tool 'observability_keys' returned a structured error for FUZZ-OBJ-004 (empty object) on param 'keysQuery' — handled gra…McpError: MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
|
1160ms |
| T03-06-keysquery-FUZZ-OBJ-005 | PASS | Fuzz FUZZ-OBJ-005 → observability_keys.keysQuery |
Tool 'observability_keys' returned a structured error for FUZZ-OBJ-005 (prototype pollution) on param 'keysQuery' — hand…McpError: MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
|
1877ms |
| T03-06-keysquery-FUZZ-OBJ-006 | PASS | Fuzz FUZZ-OBJ-006 → observability_keys.keysQuery |
Tool 'observability_keys' returned a structured error for FUZZ-OBJ-006 (deeply nested object) on param 'keysQuery' — han…McpError: MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
|
725ms |
| T03-07-valuesquery-FUZZ-OBJ-001 | PASS | Fuzz FUZZ-OBJ-001 → observability_values.valuesQuery |
Tool 'observability_values' returned a structured error for FUZZ-OBJ-001 (null as object) on param 'valuesQuery' — handl…McpError: MCP error -32602: Invalid arguments for tool observability_values: [
{
"code": "invalid_type",
"expected": "object",
"received": "null",
"path": [
"valuesQuery"
],
"message": "Expected object, received null"
}
]
|
971ms |
| T03-07-valuesquery-FUZZ-OBJ-002 | PASS | Fuzz FUZZ-OBJ-002 → observability_values.valuesQuery |
Tool 'observability_values' returned a structured error for FUZZ-OBJ-002 (list as object) on param 'valuesQuery' — handl…McpError: MCP error -32602: Invalid arguments for tool observability_values: [
{
"code": "invalid_type",
"expected": "object",
"received": "array",
"path": [
"valuesQuery"
],
"message": "Expected object, received array"
}
]
|
1125ms |
| T03-07-valuesquery-FUZZ-OBJ-003 | PASS | Fuzz FUZZ-OBJ-003 → observability_values.valuesQuery |
Tool 'observability_values' returned a structured error for FUZZ-OBJ-003 (string as object) on param 'valuesQuery' — han…McpError: MCP error -32602: Invalid arguments for tool observability_values: [
{
"code": "invalid_type",
"expected": "object",
"received": "string",
"path": [
"valuesQuery"
],
"message": "Expected object, received string"
}
]
|
809ms |
| T03-07-valuesquery-FUZZ-OBJ-004 | PASS | Fuzz FUZZ-OBJ-004 → observability_values.valuesQuery |
Tool 'observability_values' returned a structured error for FUZZ-OBJ-004 (empty object) on param 'valuesQuery' — handled…McpError: MCP error -32602: Invalid arguments for tool observability_values: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"valuesQuery",
"key"
],
"message": "Required"
},
{
"expected": "'string' | 'boolean' | 'number'",
|
874ms |
| T03-07-valuesquery-FUZZ-OBJ-005 | PASS | Fuzz FUZZ-OBJ-005 → observability_values.valuesQuery |
Tool 'observability_values' returned a structured error for FUZZ-OBJ-005 (prototype pollution) on param 'valuesQuery' — …McpError: MCP error -32602: Invalid arguments for tool observability_values: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"valuesQuery",
"key"
],
"message": "Required"
},
{
"expected": "'string' | 'boolean' | 'number'",
|
1320ms |
| T03-07-valuesquery-FUZZ-OBJ-006 | PASS | Fuzz FUZZ-OBJ-006 → observability_values.valuesQuery |
Tool 'observability_values' returned a structured error for FUZZ-OBJ-006 (deeply nested object) on param 'valuesQuery' —…McpError: MCP error -32602: Invalid arguments for tool observability_values: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"valuesQuery",
"key"
],
"message": "Required"
},
{
"expected": "'string' | 'boolean' | 'number'",
|
737ms |
| T03-08-query-FUZZ-STR-001 | PASS | Fuzz FUZZ-STR-001 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-001 (empty string) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='All search methods failed: vector', annotations=None, meta=None)] structuredContent=None isError=True"
|
760ms |
| T03-08-query-FUZZ-STR-002 | PASS | Fuzz FUZZ-STR-002 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-002 (single space) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='All search methods failed: vector', annotations=None, meta=None)] structuredContent=None isError=True"
|
1008ms |
| T03-08-query-FUZZ-STR-003 | PASS | Fuzz FUZZ-STR-003 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-003 (whitespace only) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='All search methods failed: vector', annotations=None, meta=None)] structuredContent=None isError=True"
|
884ms |
| T03-08-query-FUZZ-STR-004 | PASS | Fuzz FUZZ-STR-004 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' returned a structured error for FUZZ-STR-004 (null value) on param 'query' — hand…McpError: MCP error -32602: Invalid arguments for tool search_cloudflare_documentation: [
{
"code": "invalid_type",
"expected": "string",
"received": "null",
"path": [
"query"
],
"message": "Expected string, received null"
}
]
|
858ms |
| T03-08-query-FUZZ-STR-005 | PASS | Fuzz FUZZ-STR-005 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' returned a structured error for FUZZ-STR-005 (integer as string field) on param '…McpError: MCP error -32602: Invalid arguments for tool search_cloudflare_documentation: [
{
"code": "invalid_type",
"expected": "string",
"received": "number",
"path": [
"query"
],
"message": "Expected string, received number"
}
]
|
1329ms |
| T03-08-query-FUZZ-STR-006 | PASS | Fuzz FUZZ-STR-006 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' returned a structured error for FUZZ-STR-006 (boolean as string field) on param '…McpError: MCP error -32602: Invalid arguments for tool search_cloudflare_documentation: [
{
"code": "invalid_type",
"expected": "string",
"received": "boolean",
"path": [
"query"
],
"message": "Expected string, received boolean"
}
]
|
720ms |
| T03-08-query-FUZZ-STR-007 | PASS | Fuzz FUZZ-STR-007 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' returned a structured error for FUZZ-STR-007 (list as string field) on param 'que…McpError: MCP error -32602: Invalid arguments for tool search_cloudflare_documentation: [
{
"code": "invalid_type",
"expected": "string",
"received": "array",
"path": [
"query"
],
"message": "Expected string, received array"
}
]
|
1303ms |
| T03-08-query-FUZZ-STR-008 | PASS | Fuzz FUZZ-STR-008 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' returned a structured error for FUZZ-STR-008 (dict as string field) on param 'que…McpError: MCP error -32602: Invalid arguments for tool search_cloudflare_documentation: [
{
"code": "invalid_type",
"expected": "string",
"received": "object",
"path": [
"query"
],
"message": "Expected string, received object"
}
]
|
665ms |
| T03-08-query-FUZZ-STR-009 | PASS | Fuzz FUZZ-STR-009 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-009 (very long string 10k) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='', annotations=None, meta=None)] structuredContent=None isError=False"
|
2796ms |
| T03-08-query-FUZZ-STR-010 | PASS | Fuzz FUZZ-STR-010 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-010 (newlines and tabs) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='All search methods failed: vector', annotations=None, meta=None)] structuredContent=None isError=True"
|
914ms |
| T03-08-query-FUZZ-STR-011 | PASS | Fuzz FUZZ-STR-011 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-011 (null byte in string) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='', annotations=None, meta=None)] structuredContent=None isError=False"
|
3290ms |
| T03-08-query-FUZZ-STR-012 | PASS | Fuzz FUZZ-STR-012 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-012 (all unicode planes) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='', annotations=None, meta=None)] structuredContent=None isError=False"
|
3124ms |
| T04-002 | PASS | Hidden Instruction Scan | No suspicious patterns found in 9 tool description(s). | 1ms |
| T04-004 | PASS | Schema Field Injection Check | All 9 tool inputSchema(s) contain only sanctioned JSON Schema fields. | 0ms |
| T04-005 | PASS | Tool Count Stability Check |
Tool count stable at 9 across 5 polls (2.5s window).Counts per poll: [9, 9, 9, 9, 9]
|
5288ms |
| T09-001 | PASS | Output Sanitization — Summary | All 9 tool outputs and 0 resource reads passed PI-marker scanning. | 10810ms |
| T09-TOOL-accounts_list | PASS | Output Sanitization → accounts_list | Tool 'accounts_list' output clean — no prompt-injection markers detected. | 2318ms |
| T09-TOOL-migrate_pages_to_workers_gui | PASS | Output Sanitization → migrate_pages_to_workers_guide | Tool 'migrate_pages_to_workers_guide' output clean — no prompt-injection markers detected. | 1118ms |
| T09-TOOL-search_cloudflare_documentat | PASS | Output Sanitization → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' output clean — no prompt-injection markers detected. | 1255ms |
| T09-TOOL-workers_get_worker | PASS | Output Sanitization → workers_get_worker | Tool 'workers_get_worker' output clean — no prompt-injection markers detected. | 1247ms |
| T09-TOOL-workers_get_worker_code | PASS | Output Sanitization → workers_get_worker_code | Tool 'workers_get_worker_code' output clean — no prompt-injection markers detected. | 1048ms |
| T09-TOOL-workers_list | PASS | Output Sanitization → workers_list | Tool 'workers_list' output clean — no prompt-injection markers detected. | 952ms |
| T10-001 | PASS | Cross-Session Data Leakage | Marker planted in 3 tool(s) via session A did not leak into an independent session B — state appears correctly partitioned. | 18744ms |
| T11-001 | PASS | Timing Side-Channel — Summary | Probed 3 tool(s); no timing oracles detected. | 39118ms |
| T11-TOOL-search_cloudflare_documentat | PASS | Timing Side-Channel → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' does not appear to leak timing information (mean 2416.4 ms vs 2170.4 ms, ratio 1.11×). | 19602ms |
| T11-TOOL-workers_get_worker | PASS | Timing Side-Channel → workers_get_worker | Tool 'workers_get_worker' does not appear to leak timing information (mean 954.9 ms vs 1314.4 ms, ratio 0.73×). | 9771ms |
| T11-TOOL-workers_get_worker_code | PASS | Timing Side-Channel → workers_get_worker_code | Tool 'workers_get_worker_code' does not appear to leak timing information (mean 1043.9 ms vs 1104.8 ms, ratio 0.94×). | 9744ms |
| T12-001 | PASS | Error Secret Leakage — Summary | Probed 9 tool(s) and 0 resources; no secret patterns detected in error messages. | 24987ms |
| T12-TOOL-accounts_list | PASS | Error Secret Leakage → accounts_list | Tool 'accounts_list' never errored on malformed inputs — nothing to scan. | 2317ms |
| T12-TOOL-migrate_pages_to_workers_gui | PASS | Error Secret Leakage → migrate_pages_to_workers_guide | Tool 'migrate_pages_to_workers_guide' never errored on malformed inputs — nothing to scan. | 925ms |
| T12-TOOL-observability_keys | PASS | Error Secret Leakage → observability_keys | Tool 'observability_keys' errored on 3 malformed input(s); no secret patterns found in error text. | 3118ms |
| T12-TOOL-observability_values | PASS | Error Secret Leakage → observability_values | Tool 'observability_values' errored on 3 malformed input(s); no secret patterns found in error text. | 3068ms |
| T12-TOOL-query_worker_observability | PASS | Error Secret Leakage → query_worker_observability | Tool 'query_worker_observability' errored on 3 malformed input(s); no secret patterns found in error text. | 3180ms |
| T12-TOOL-search_cloudflare_documentat | PASS | Error Secret Leakage → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' errored on 2 malformed input(s); no secret patterns found in error text. | 4763ms |
| T12-TOOL-workers_get_worker | PASS | Error Secret Leakage → workers_get_worker | Tool 'workers_get_worker' errored on 2 malformed input(s); no secret patterns found in error text. | 3458ms |
| T12-TOOL-workers_get_worker_code | PASS | Error Secret Leakage → workers_get_worker_code | Tool 'workers_get_worker_code' errored on 2 malformed input(s); no secret patterns found in error text. | 3129ms |
| T12-TOOL-workers_list | PASS | Error Secret Leakage → workers_list | Tool 'workers_list' never errored on malformed inputs — nothing to scan. | 1026ms |
| T13-001 | PASS | Sampling Capability Advertisement | Server does not advertise the 'sampling' capability. | 0ms |
| T13-003 | PASS | Sampling Abuse — Summary | No sampling-abuse surface detected. | 4780ms |
| T14-001 | PASS | Notification Flood Rate | Server sent 0 notifications during a 5s quiet window (0.0/sec) — well within expected bounds. | 7274ms |
| T14-002 | PASS | Notification Flood — Summary | No notification-flood risk detected. | 7274ms |
| T15-001 | PASS | Reentrancy — Summary | Probed 3 tool(s) with 6 concurrent invocations each; no state-bleed detected. | 6526ms |
| T15-TOOL-search_cloudflare_documentat | PASS | Reentrancy → search_cloudflare_documentation | 6 concurrent calls to 'search_cloudflare_documentation' returned independent results — no state bleed detected. | 3785ms |
| T15-TOOL-workers_get_worker | PASS | Reentrancy → workers_get_worker | 6 concurrent calls to 'workers_get_worker' returned independent results — no state bleed detected. | 1340ms |
| T15-TOOL-workers_get_worker_code | PASS | Reentrancy → workers_get_worker_code | 6 concurrent calls to 'workers_get_worker_code' returned independent results — no state bleed detected. | 1401ms |
| T16-001 | PASS | Tool Set Drift | Tool inventory stable across snapshots. | 8739ms |
| T16-002 | PASS | Resource Set Drift | Resource inventory stable. | 0ms |
| T16-004 | PASS | Server Capability Drift | Server capabilities stable. | 0ms |
| T16-005 | PASS | Capability Creep — Summary | All capability surfaces stable over 3s window. | 8739ms |
| T17-001 | PASS | Cross-Session Hash Drift | All 10 descriptions match byte-for-byte across two independent sessions. | 10881ms |
| T19-001 | PASS | Non-ASCII Identifiers | All identifiers are pure ASCII. | 0ms |
| T19-002 | PASS | Confusable / Homoglyph Characters | No Unicode confusables detected in identifiers. | 0ms |
| T19-003 | PASS | Mixed-Script Identifiers | No mixed-script identifiers found. | 0ms |
| T19-004 | PASS | Invisible / Directional Characters | No invisible characters in identifiers. | 0ms |
| T19-005 | PASS | Homoglyph Scan — Summary | Scanned 10 identifier(s); no impersonation signals detected. | 0ms |
| T21-001 | PASS | Path Traversal — Summary | 36 probe(s) sent, no traversal to sensitive files confirmed. | 61170ms |
| T21-TOOL-search_cloudflare_do-PT-001 | PASS | Path Traversal PT-001 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected Plain Unix. | 3258ms |
| T21-TOOL-search_cloudflare_do-PT-002 | PASS | Path Traversal PT-002 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected Plain Windows. | 2711ms |
| T21-TOOL-search_cloudflare_do-PT-003 | PASS | Path Traversal PT-003 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected URL-encoded. | 3543ms |
| T21-TOOL-search_cloudflare_do-PT-004 | PASS | Path Traversal PT-004 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected Double URL-encoded. | 2947ms |
| T21-TOOL-search_cloudflare_do-PT-005 | PASS | Path Traversal PT-005 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected UTF-8 overlong. | 3411ms |
| T21-TOOL-search_cloudflare_do-PT-006 | PASS | Path Traversal PT-006 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected Backslash + forward. | 2872ms |
| T21-TOOL-search_cloudflare_do-PT-007 | PASS | Path Traversal PT-007 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected Unicode normalisation. | 2482ms |
| T21-TOOL-search_cloudflare_do-PT-008 | PASS | Path Traversal PT-008 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected NUL byte truncation. | 2461ms |
| T21-TOOL-search_cloudflare_do-PT-009 | PASS | Path Traversal PT-009 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected Absolute Unix path. | 3005ms |
| T21-TOOL-search_cloudflare_do-PT-010 | PASS | Path Traversal PT-010 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected Absolute Windows path. | 2710ms |
| T21-TOOL-search_cloudflare_do-PT-011 | PASS | Path Traversal PT-011 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected Resource file:// scheme. | 2560ms |
| T21-TOOL-search_cloudflare_do-PT-012 | PASS | Path Traversal PT-012 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely rejected Proto-smuggling. | 2397ms |
| T21-TOOL-workers_get_worker-PT-001 | PASS | Path Traversal PT-001 → workers_get_worker | Tool 'workers_get_worker' safely rejected Plain Unix. | 1412ms |
| T21-TOOL-workers_get_worker-PT-002 | PASS | Path Traversal PT-002 → workers_get_worker | Tool 'workers_get_worker' safely rejected Plain Windows. | 806ms |
| T21-TOOL-workers_get_worker-PT-003 | PASS | Path Traversal PT-003 → workers_get_worker | Tool 'workers_get_worker' safely rejected URL-encoded. | 1058ms |
| T21-TOOL-workers_get_worker-PT-004 | PASS | Path Traversal PT-004 → workers_get_worker | Tool 'workers_get_worker' safely rejected Double URL-encoded. | 903ms |
| T21-TOOL-workers_get_worker-PT-005 | PASS | Path Traversal PT-005 → workers_get_worker | Tool 'workers_get_worker' safely rejected UTF-8 overlong. | 1057ms |
| T21-TOOL-workers_get_worker-PT-006 | PASS | Path Traversal PT-006 → workers_get_worker | Tool 'workers_get_worker' safely rejected Backslash + forward. | 1439ms |
| T21-TOOL-workers_get_worker-PT-007 | PASS | Path Traversal PT-007 → workers_get_worker | Tool 'workers_get_worker' safely rejected Unicode normalisation. | 975ms |
| T21-TOOL-workers_get_worker-PT-008 | PASS | Path Traversal PT-008 → workers_get_worker | Tool 'workers_get_worker' safely rejected NUL byte truncation. | 1182ms |
| T21-TOOL-workers_get_worker-PT-009 | PASS | Path Traversal PT-009 → workers_get_worker | Tool 'workers_get_worker' safely rejected Absolute Unix path. | 1394ms |
| T21-TOOL-workers_get_worker-PT-010 | PASS | Path Traversal PT-010 → workers_get_worker | Tool 'workers_get_worker' safely rejected Absolute Windows path. | 1031ms |
| T21-TOOL-workers_get_worker-PT-011 | PASS | Path Traversal PT-011 → workers_get_worker | Tool 'workers_get_worker' safely rejected Resource file:// scheme. | 1119ms |
| T21-TOOL-workers_get_worker-PT-012 | PASS | Path Traversal PT-012 → workers_get_worker | Tool 'workers_get_worker' safely rejected Proto-smuggling. | 1129ms |
| T21-TOOL-workers_get_worker_c-PT-001 | PASS | Path Traversal PT-001 → workers_get_worker_code | Tool 'workers_get_worker_code' safely rejected Plain Unix. | 970ms |
| T21-TOOL-workers_get_worker_c-PT-002 | PASS | Path Traversal PT-002 → workers_get_worker_code | Tool 'workers_get_worker_code' safely rejected Plain Windows. | 980ms |
| T21-TOOL-workers_get_worker_c-PT-003 | PASS | Path Traversal PT-003 → workers_get_worker_code | Tool 'workers_get_worker_code' safely rejected URL-encoded. | 959ms |
| T21-TOOL-workers_get_worker_c-PT-004 | PASS | Path Traversal PT-004 → workers_get_worker_code | Tool 'workers_get_worker_code' safely rejected Double URL-encoded. | 1248ms |
| T21-TOOL-workers_get_worker_c-PT-005 | PASS | Path Traversal PT-005 → workers_get_worker_code | Tool 'workers_get_worker_code' safely rejected UTF-8 overlong. | 924ms |
| T21-TOOL-workers_get_worker_c-PT-006 | PASS | Path Traversal PT-006 → workers_get_worker_code | Tool 'workers_get_worker_code' safely rejected Backslash + forward. | 837ms |
| T21-TOOL-workers_get_worker_c-PT-007 | PASS | Path Traversal PT-007 → workers_get_worker_code | Tool 'workers_get_worker_code' safely rejected Unicode normalisation. | 1109ms |
| T21-TOOL-workers_get_worker_c-PT-008 | PASS | Path Traversal PT-008 → workers_get_worker_code | Tool 'workers_get_worker_code' safely rejected NUL byte truncation. | 1333ms |
| T21-TOOL-workers_get_worker_c-PT-009 | PASS | Path Traversal PT-009 → workers_get_worker_code | Tool 'workers_get_worker_code' safely rejected Absolute Unix path. | 1187ms |
| T21-TOOL-workers_get_worker_c-PT-010 | PASS | Path Traversal PT-010 → workers_get_worker_code | Tool 'workers_get_worker_code' safely rejected Absolute Windows path. | 999ms |
| T21-TOOL-workers_get_worker_c-PT-011 | PASS | Path Traversal PT-011 → workers_get_worker_code | Tool 'workers_get_worker_code' safely rejected Resource file:// scheme. | 1536ms |
| T21-TOOL-workers_get_worker_c-PT-012 | PASS | Path Traversal PT-012 → workers_get_worker_code | Tool 'workers_get_worker_code' safely rejected Proto-smuggling. | 1220ms |
| T22-001 | PASS | Command Injection — Summary | 24 probe(s) sent, no shell execution confirmed. | 39269ms |
| T22-TOOL-search_cloudflare_do-CI-001 | PASS | Command Injection CI-001 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely handled Semicolon chain. | 2476ms |
| T22-TOOL-search_cloudflare_do-CI-002 | PASS | Command Injection CI-002 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely handled Pipe. | 3004ms |
| T22-TOOL-search_cloudflare_do-CI-003 | PASS | Command Injection CI-003 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely handled Background ampersand. | 2513ms |
| T22-TOOL-search_cloudflare_do-CI-004 | PASS | Command Injection CI-004 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely handled Logical AND. | 2467ms |
| T22-TOOL-search_cloudflare_do-CI-005 | PASS | Command Injection CI-005 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely handled Logical OR. | 2815ms |
| T22-TOOL-search_cloudflare_do-CI-006 | PASS | Command Injection CI-006 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely handled Command substitution $(). | 2221ms |
| T22-TOOL-search_cloudflare_do-CI-007 | PASS | Command Injection CI-007 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely handled Backtick cmdsub. | 3144ms |
| T22-TOOL-search_cloudflare_do-CI-010 | PASS | Command Injection CI-010 → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' safely handled Windows cmd chain. | 2794ms |
| T22-TOOL-workers_get_worker-CI-001 | PASS | Command Injection CI-001 → workers_get_worker | Tool 'workers_get_worker' safely handled Semicolon chain. | 1512ms |
| T22-TOOL-workers_get_worker-CI-002 | PASS | Command Injection CI-002 → workers_get_worker | Tool 'workers_get_worker' safely handled Pipe. | 1320ms |
| T22-TOOL-workers_get_worker-CI-003 | PASS | Command Injection CI-003 → workers_get_worker | Tool 'workers_get_worker' safely handled Background ampersand. | 1066ms |
| T22-TOOL-workers_get_worker-CI-004 | PASS | Command Injection CI-004 → workers_get_worker | Tool 'workers_get_worker' safely handled Logical AND. | 1182ms |
| T22-TOOL-workers_get_worker-CI-005 | PASS | Command Injection CI-005 → workers_get_worker | Tool 'workers_get_worker' safely handled Logical OR. | 1052ms |
| T22-TOOL-workers_get_worker-CI-006 | PASS | Command Injection CI-006 → workers_get_worker | Tool 'workers_get_worker' safely handled Command substitution $(). | 1022ms |
| T22-TOOL-workers_get_worker-CI-007 | PASS | Command Injection CI-007 → workers_get_worker | Tool 'workers_get_worker' safely handled Backtick cmdsub. | 945ms |
| T22-TOOL-workers_get_worker-CI-010 | PASS | Command Injection CI-010 → workers_get_worker | Tool 'workers_get_worker' safely handled Windows cmd chain. | 1119ms |
| T22-TOOL-workers_get_worker_c-CI-001 | PASS | Command Injection CI-001 → workers_get_worker_code | Tool 'workers_get_worker_code' safely handled Semicolon chain. | 1045ms |
| T22-TOOL-workers_get_worker_c-CI-002 | PASS | Command Injection CI-002 → workers_get_worker_code | Tool 'workers_get_worker_code' safely handled Pipe. | 1004ms |
| T22-TOOL-workers_get_worker_c-CI-003 | PASS | Command Injection CI-003 → workers_get_worker_code | Tool 'workers_get_worker_code' safely handled Background ampersand. | 1028ms |
| T22-TOOL-workers_get_worker_c-CI-004 | PASS | Command Injection CI-004 → workers_get_worker_code | Tool 'workers_get_worker_code' safely handled Logical AND. | 1135ms |
| T22-TOOL-workers_get_worker_c-CI-005 | PASS | Command Injection CI-005 → workers_get_worker_code | Tool 'workers_get_worker_code' safely handled Logical OR. | 1060ms |
| T22-TOOL-workers_get_worker_c-CI-006 | PASS | Command Injection CI-006 → workers_get_worker_code | Tool 'workers_get_worker_code' safely handled Command substitution $(). | 1197ms |
| T22-TOOL-workers_get_worker_c-CI-007 | PASS | Command Injection CI-007 → workers_get_worker_code | Tool 'workers_get_worker_code' safely handled Backtick cmdsub. | 1189ms |
| T22-TOOL-workers_get_worker_c-CI-010 | PASS | Command Injection CI-010 → workers_get_worker_code | Tool 'workers_get_worker_code' safely handled Windows cmd chain. | 960ms |
| T23-001 | PASS | SQL Injection Deep — Summary | No deep SQLi findings across 3 probed tool(s). | 56829ms |
| T23-TOOL-search_cloudflare_do-SQL-001 | PASS | SQL SQL-001 → search_cloudflare_documentation |
No SQLi detected via UNION version on 'search_cloudflare_documentation'.baseline=2713ms payload=3673ms
|
3673ms |
| T23-TOOL-search_cloudflare_do-SQL-002 | PASS | SQL SQL-002 → search_cloudflare_documentation |
No SQLi detected via UNION sqlite_ver on 'search_cloudflare_documentation'.baseline=2713ms payload=2353ms
|
2353ms |
| T23-TOOL-search_cloudflare_do-SQL-003 | PASS | SQL SQL-003 → search_cloudflare_documentation |
No SQLi detected via Boolean true on 'search_cloudflare_documentation'.baseline=2713ms payload=3413ms
|
3413ms |
| T23-TOOL-search_cloudflare_do-SQL-004 | PASS | SQL SQL-004 → search_cloudflare_documentation |
No SQLi detected via Boolean false on 'search_cloudflare_documentation'.baseline=2713ms payload=3494ms
|
3494ms |
| T23-TOOL-search_cloudflare_do-SQL-005 | PASS | SQL SQL-005 → search_cloudflare_documentation |
No SQLi detected via Time blind PG on 'search_cloudflare_documentation'.baseline=2713ms payload=2583ms
|
2583ms |
| T23-TOOL-search_cloudflare_do-SQL-006 | PASS | SQL SQL-006 → search_cloudflare_documentation |
No SQLi detected via Time blind MS on 'search_cloudflare_documentation'.baseline=2713ms payload=2361ms
|
2361ms |
| T23-TOOL-search_cloudflare_do-SQL-007 | PASS | SQL SQL-007 → search_cloudflare_documentation |
No SQLi detected via Time blind MySQL on 'search_cloudflare_documentation'.baseline=2713ms payload=2721ms
|
2721ms |
| T23-TOOL-search_cloudflare_do-SQL-008 | PASS | SQL SQL-008 → search_cloudflare_documentation |
No SQLi detected via Stacked drop on 'search_cloudflare_documentation'.baseline=2713ms payload=2720ms
|
2720ms |
| T23-TOOL-search_cloudflare_do-SQL-009 | PASS | SQL SQL-009 → search_cloudflare_documentation |
No SQLi detected via NoSQL $ne on 'search_cloudflare_documentation'.baseline=2713ms payload=3200ms
|
3200ms |
| T23-TOOL-search_cloudflare_do-SQL-010 | PASS | SQL SQL-010 → search_cloudflare_documentation |
No SQLi detected via NoSQL $gt on 'search_cloudflare_documentation'.baseline=2713ms payload=3001ms
|
3001ms |
| T23-TOOL-workers_get_worker-SQL-001 | PASS | SQL SQL-001 → workers_get_worker |
No SQLi detected via UNION version on 'workers_get_worker'.baseline=1580ms payload=1070ms
|
1070ms |
| T23-TOOL-workers_get_worker-SQL-002 | PASS | SQL SQL-002 → workers_get_worker |
No SQLi detected via UNION sqlite_ver on 'workers_get_worker'.baseline=1580ms payload=1439ms
|
1439ms |
| T23-TOOL-workers_get_worker-SQL-003 | PASS | SQL SQL-003 → workers_get_worker |
No SQLi detected via Boolean true on 'workers_get_worker'.baseline=1580ms payload=1005ms
|
1005ms |
| T23-TOOL-workers_get_worker-SQL-004 | PASS | SQL SQL-004 → workers_get_worker |
No SQLi detected via Boolean false on 'workers_get_worker'.baseline=1580ms payload=1007ms
|
1007ms |
| T23-TOOL-workers_get_worker-SQL-005 | PASS | SQL SQL-005 → workers_get_worker |
No SQLi detected via Time blind PG on 'workers_get_worker'.baseline=1580ms payload=1086ms
|
1086ms |
| T23-TOOL-workers_get_worker-SQL-006 | PASS | SQL SQL-006 → workers_get_worker |
No SQLi detected via Time blind MS on 'workers_get_worker'.baseline=1580ms payload=973ms
|
973ms |
| T23-TOOL-workers_get_worker-SQL-007 | PASS | SQL SQL-007 → workers_get_worker |
No SQLi detected via Time blind MySQL on 'workers_get_worker'.baseline=1580ms payload=1016ms
|
1055ms |
| T23-TOOL-workers_get_worker-SQL-008 | PASS | SQL SQL-008 → workers_get_worker |
No SQLi detected via Stacked drop on 'workers_get_worker'.baseline=1580ms payload=968ms
|
968ms |
| T23-TOOL-workers_get_worker-SQL-009 | PASS | SQL SQL-009 → workers_get_worker |
No SQLi detected via NoSQL $ne on 'workers_get_worker'.baseline=1580ms payload=1032ms
|
1073ms |
| T23-TOOL-workers_get_worker-SQL-010 | PASS | SQL SQL-010 → workers_get_worker |
No SQLi detected via NoSQL $gt on 'workers_get_worker'.baseline=1580ms payload=926ms
|
926ms |
| T23-TOOL-workers_get_worker_c-SQL-001 | PASS | SQL SQL-001 → workers_get_worker_code |
No SQLi detected via UNION version on 'workers_get_worker_code'.baseline=1311ms payload=1085ms
|
1085ms |
| T23-TOOL-workers_get_worker_c-SQL-002 | PASS | SQL SQL-002 → workers_get_worker_code |
No SQLi detected via UNION sqlite_ver on 'workers_get_worker_code'.baseline=1311ms payload=1118ms
|
1118ms |
| T23-TOOL-workers_get_worker_c-SQL-003 | PASS | SQL SQL-003 → workers_get_worker_code |
No SQLi detected via Boolean true on 'workers_get_worker_code'.baseline=1311ms payload=1054ms
|
1054ms |
| T23-TOOL-workers_get_worker_c-SQL-004 | PASS | SQL SQL-004 → workers_get_worker_code |
No SQLi detected via Boolean false on 'workers_get_worker_code'.baseline=1311ms payload=1051ms
|
1052ms |
| T23-TOOL-workers_get_worker_c-SQL-005 | PASS | SQL SQL-005 → workers_get_worker_code |
No SQLi detected via Time blind PG on 'workers_get_worker_code'.baseline=1311ms payload=959ms
|
959ms |
| T23-TOOL-workers_get_worker_c-SQL-006 | PASS | SQL SQL-006 → workers_get_worker_code |
No SQLi detected via Time blind MS on 'workers_get_worker_code'.baseline=1311ms payload=1060ms
|
1119ms |
| T23-TOOL-workers_get_worker_c-SQL-007 | PASS | SQL SQL-007 → workers_get_worker_code |
No SQLi detected via Time blind MySQL on 'workers_get_worker_code'.baseline=1311ms payload=968ms
|
968ms |
| T23-TOOL-workers_get_worker_c-SQL-008 | PASS | SQL SQL-008 → workers_get_worker_code |
No SQLi detected via Stacked drop on 'workers_get_worker_code'.baseline=1311ms payload=1336ms
|
1383ms |
| T23-TOOL-workers_get_worker_c-SQL-009 | PASS | SQL SQL-009 → workers_get_worker_code |
No SQLi detected via NoSQL $ne on 'workers_get_worker_code'.baseline=1311ms payload=1209ms
|
1209ms |
| T23-TOOL-workers_get_worker_c-SQL-010 | PASS | SQL SQL-010 → workers_get_worker_code |
No SQLi detected via NoSQL $gt on 'workers_get_worker_code'.baseline=1311ms payload=1099ms
|
1099ms |
| T24-TOOL-search_cloudflare_do-DS-001 | PASS | Deserialisation DS-001 → search_cloudflare_documentation | Python pickle (b64) — no deserialisation markers detected. | 2771ms |
| T24-TOOL-search_cloudflare_do-DS-002 | PASS | Deserialisation DS-002 → search_cloudflare_documentation | YAML !!python apply print — no deserialisation markers detected. | 2843ms |
| T24-TOOL-search_cloudflare_do-DS-003 | PASS | Deserialisation DS-003 → search_cloudflare_documentation | YAML !!python os.popen — no deserialisation markers detected. | 2431ms |
| T24-TOOL-search_cloudflare_do-DS-004 | PASS | Deserialisation DS-004 → search_cloudflare_documentation | XML XXE file:// — no deserialisation markers detected. | 2671ms |
| T24-TOOL-search_cloudflare_do-DS-006 | PASS | Deserialisation DS-006 → search_cloudflare_documentation | Java serialised magic (b64) — no deserialisation markers detected. | 3108ms |
| T24-TOOL-search_cloudflare_do-DS-007 | PASS | Deserialisation DS-007 → search_cloudflare_documentation | Ruby Marshal magic (b64) — no deserialisation markers detected. | 2879ms |
| T24-TOOL-search_cloudflare_do-DS-008 | PASS | Deserialisation DS-008 → search_cloudflare_documentation | JSON __proto__ pollution — no deserialisation markers detected. | 2650ms |
| T24-TOOL-workers_get_worker-DS-001 | PASS | Deserialisation DS-001 → workers_get_worker | Python pickle (b64) — no deserialisation markers detected. | 1598ms |
| T24-TOOL-workers_get_worker-DS-002 | PASS | Deserialisation DS-002 → workers_get_worker | YAML !!python apply print — no deserialisation markers detected. | 1132ms |
| T24-TOOL-workers_get_worker-DS-003 | PASS | Deserialisation DS-003 → workers_get_worker | YAML !!python os.popen — no deserialisation markers detected. | 1459ms |
| T24-TOOL-workers_get_worker-DS-004 | PASS | Deserialisation DS-004 → workers_get_worker | XML XXE file:// — no deserialisation markers detected. | 1253ms |
| T24-TOOL-workers_get_worker-DS-005 | PASS | Deserialisation DS-005 → workers_get_worker | XML XXE parameter entity — no deserialisation markers detected. | 1073ms |
| T24-TOOL-workers_get_worker-DS-006 | PASS | Deserialisation DS-006 → workers_get_worker | Java serialised magic (b64) — no deserialisation markers detected. | 1223ms |
| T24-TOOL-workers_get_worker-DS-007 | PASS | Deserialisation DS-007 → workers_get_worker | Ruby Marshal magic (b64) — no deserialisation markers detected. | 1226ms |
| T24-TOOL-workers_get_worker-DS-008 | PASS | Deserialisation DS-008 → workers_get_worker | JSON __proto__ pollution — no deserialisation markers detected. | 1342ms |
| T24-TOOL-workers_get_worker_c-DS-001 | PASS | Deserialisation DS-001 → workers_get_worker_code | Python pickle (b64) — no deserialisation markers detected. | 1013ms |
| T24-TOOL-workers_get_worker_c-DS-002 | PASS | Deserialisation DS-002 → workers_get_worker_code | YAML !!python apply print — no deserialisation markers detected. | 1075ms |
| T24-TOOL-workers_get_worker_c-DS-003 | PASS | Deserialisation DS-003 → workers_get_worker_code | YAML !!python os.popen — no deserialisation markers detected. | 1477ms |
| T24-TOOL-workers_get_worker_c-DS-004 | PASS | Deserialisation DS-004 → workers_get_worker_code | XML XXE file:// — no deserialisation markers detected. | 948ms |
| T24-TOOL-workers_get_worker_c-DS-005 | PASS | Deserialisation DS-005 → workers_get_worker_code | XML XXE parameter entity — no deserialisation markers detected. | 2138ms |
| T24-TOOL-workers_get_worker_c-DS-006 | PASS | Deserialisation DS-006 → workers_get_worker_code | Java serialised magic (b64) — no deserialisation markers detected. | 996ms |
| T24-TOOL-workers_get_worker_c-DS-007 | PASS | Deserialisation DS-007 → workers_get_worker_code | Ruby Marshal magic (b64) — no deserialisation markers detected. | 1020ms |
| T24-TOOL-workers_get_worker_c-DS-008 | PASS | Deserialisation DS-008 → workers_get_worker_code | JSON __proto__ pollution — no deserialisation markers detected. | 964ms |
| T26-001 | PASS | SSTI — Summary | No SSTI detected across 3 probed tool(s). | 47909ms |
| T26-TOOL-search_cloudflare_do-SSTI-001 | PASS | SSTI SSTI-001 → search_cloudflare_documentation | No template evaluation detected for Jinja/Twig {{7*7}} on 'search_cloudflare_documentation'. | 2530ms |
| T26-TOOL-search_cloudflare_do-SSTI-002 | PASS | SSTI SSTI-002 → search_cloudflare_documentation | No template evaluation detected for Jinja concat on 'search_cloudflare_documentation'. | 2033ms |
| T26-TOOL-search_cloudflare_do-SSTI-003 | PASS | SSTI SSTI-003 → search_cloudflare_documentation | No template evaluation detected for Handlebars #with on 'search_cloudflare_documentation'. | 2668ms |
| T26-TOOL-search_cloudflare_do-SSTI-004 | PASS | SSTI SSTI-004 → search_cloudflare_documentation | No template evaluation detected for ERB <%= 7*7 %> on 'search_cloudflare_documentation'. | 2196ms |
| T26-TOOL-search_cloudflare_do-SSTI-005 | PASS | SSTI SSTI-005 → search_cloudflare_documentation | No template evaluation detected for Freemarker ${7*7} on 'search_cloudflare_documentation'. | 3250ms |
| T26-TOOL-search_cloudflare_do-SSTI-006 | PASS | SSTI SSTI-006 → search_cloudflare_documentation | No template evaluation detected for Velocity #set on 'search_cloudflare_documentation'. | 2420ms |
| T26-TOOL-search_cloudflare_do-SSTI-007 | PASS | SSTI SSTI-007 → search_cloudflare_documentation | No template evaluation detected for JSP ${7*7} on 'search_cloudflare_documentation'. | 1822ms |
| T26-TOOL-search_cloudflare_do-SSTI-008 | PASS | SSTI SSTI-008 → search_cloudflare_documentation | No template evaluation detected for Smarty {$x=7*7} on 'search_cloudflare_documentation'. | 2698ms |
| T26-TOOL-search_cloudflare_do-SSTI-009 | PASS | SSTI SSTI-009 → search_cloudflare_documentation | No template evaluation detected for Razor @(7*7) on 'search_cloudflare_documentation'. | 2453ms |
| T26-TOOL-search_cloudflare_do-SSTI-010 | PASS | SSTI SSTI-010 → search_cloudflare_documentation | No template evaluation detected for Mako <%= 7*7 %> on 'search_cloudflare_documentation'. | 2341ms |
| T26-TOOL-workers_get_worker-SSTI-001 | PASS | SSTI SSTI-001 → workers_get_worker | No template evaluation detected for Jinja/Twig {{7*7}} on 'workers_get_worker'. | 2334ms |
| T26-TOOL-workers_get_worker-SSTI-002 | PASS | SSTI SSTI-002 → workers_get_worker | No template evaluation detected for Jinja concat on 'workers_get_worker'. | 1192ms |
| T26-TOOL-workers_get_worker-SSTI-003 | PASS | SSTI SSTI-003 → workers_get_worker | No template evaluation detected for Handlebars #with on 'workers_get_worker'. | 1250ms |
| T26-TOOL-workers_get_worker-SSTI-004 | PASS | SSTI SSTI-004 → workers_get_worker | No template evaluation detected for ERB <%= 7*7 %> on 'workers_get_worker'. | 720ms |
| T26-TOOL-workers_get_worker-SSTI-005 | PASS | SSTI SSTI-005 → workers_get_worker | No template evaluation detected for Freemarker ${7*7} on 'workers_get_worker'. | 1689ms |
| T26-TOOL-workers_get_worker-SSTI-006 | PASS | SSTI SSTI-006 → workers_get_worker | No template evaluation detected for Velocity #set on 'workers_get_worker'. | 969ms |
| T26-TOOL-workers_get_worker-SSTI-007 | PASS | SSTI SSTI-007 → workers_get_worker | No template evaluation detected for JSP ${7*7} on 'workers_get_worker'. | 1131ms |
| T26-TOOL-workers_get_worker-SSTI-008 | PASS | SSTI SSTI-008 → workers_get_worker | No template evaluation detected for Smarty {$x=7*7} on 'workers_get_worker'. | 1166ms |
| T26-TOOL-workers_get_worker-SSTI-009 | PASS | SSTI SSTI-009 → workers_get_worker | No template evaluation detected for Razor @(7*7) on 'workers_get_worker'. | 1033ms |
| T26-TOOL-workers_get_worker-SSTI-010 | PASS | SSTI SSTI-010 → workers_get_worker | No template evaluation detected for Mako <%= 7*7 %> on 'workers_get_worker'. | 755ms |
| T26-TOOL-workers_get_worker_c-SSTI-001 | PASS | SSTI SSTI-001 → workers_get_worker_code | No template evaluation detected for Jinja/Twig {{7*7}} on 'workers_get_worker_code'. | 1550ms |
| T26-TOOL-workers_get_worker_c-SSTI-002 | PASS | SSTI SSTI-002 → workers_get_worker_code | No template evaluation detected for Jinja concat on 'workers_get_worker_code'. | 1479ms |
| T26-TOOL-workers_get_worker_c-SSTI-003 | PASS | SSTI SSTI-003 → workers_get_worker_code | No template evaluation detected for Handlebars #with on 'workers_get_worker_code'. | 1047ms |
| T26-TOOL-workers_get_worker_c-SSTI-004 | PASS | SSTI SSTI-004 → workers_get_worker_code | No template evaluation detected for ERB <%= 7*7 %> on 'workers_get_worker_code'. | 924ms |
| T26-TOOL-workers_get_worker_c-SSTI-005 | PASS | SSTI SSTI-005 → workers_get_worker_code | No template evaluation detected for Freemarker ${7*7} on 'workers_get_worker_code'. | 1030ms |
| T26-TOOL-workers_get_worker_c-SSTI-006 | PASS | SSTI SSTI-006 → workers_get_worker_code | No template evaluation detected for Velocity #set on 'workers_get_worker_code'. | 1153ms |
| T26-TOOL-workers_get_worker_c-SSTI-007 | PASS | SSTI SSTI-007 → workers_get_worker_code | No template evaluation detected for JSP ${7*7} on 'workers_get_worker_code'. | 1110ms |
| T26-TOOL-workers_get_worker_c-SSTI-008 | PASS | SSTI SSTI-008 → workers_get_worker_code | No template evaluation detected for Smarty {$x=7*7} on 'workers_get_worker_code'. | 1126ms |
| T26-TOOL-workers_get_worker_c-SSTI-009 | PASS | SSTI SSTI-009 → workers_get_worker_code | No template evaluation detected for Razor @(7*7) on 'workers_get_worker_code'. | 1039ms |
| T26-TOOL-workers_get_worker_c-SSTI-010 | PASS | SSTI SSTI-010 → workers_get_worker_code | No template evaluation detected for Mako <%= 7*7 %> on 'workers_get_worker_code'. | 800ms |
| T27-004 | PASS | Session Tokens — Summary | No session-handling weaknesses detected. | 7682ms |
| T28-001 | PASS | Header Injection — Summary | No CRLF/header-injection findings across 3 probed tool(s). | 22879ms |
| T28-TOOL-search_cloudflare_do-HDR-001 | PASS | Header Injection HDR-001 → search_cloudflare_documentation | No CRLF reflection detected for Classic CRLF + header on 'search_cloudflare_documentation'. | 2429ms |
| T28-TOOL-search_cloudflare_do-HDR-002 | PASS | Header Injection HDR-002 → search_cloudflare_documentation | No CRLF reflection detected for URL-encoded CRLF on 'search_cloudflare_documentation'. | 2162ms |
| T28-TOOL-search_cloudflare_do-HDR-003 | PASS | Header Injection HDR-003 → search_cloudflare_documentation | No CRLF reflection detected for Double-encoded CRLF on 'search_cloudflare_documentation'. | 2167ms |
| T28-TOOL-search_cloudflare_do-HDR-004 | PASS | Header Injection HDR-004 → search_cloudflare_documentation | No CRLF reflection detected for Content-Length smuggling on 'search_cloudflare_documentation'. | 2040ms |
| T28-TOOL-search_cloudflare_do-HDR-005 | PASS | Header Injection HDR-005 → search_cloudflare_documentation | No CRLF reflection detected for Unicode newline on 'search_cloudflare_documentation'. | 2259ms |
| T28-TOOL-workers_get_worker-HDR-001 | PASS | Header Injection HDR-001 → workers_get_worker | No CRLF reflection detected for Classic CRLF + header on 'workers_get_worker'. | 1428ms |
| T28-TOOL-workers_get_worker-HDR-002 | PASS | Header Injection HDR-002 → workers_get_worker | No CRLF reflection detected for URL-encoded CRLF on 'workers_get_worker'. | 948ms |
| T28-TOOL-workers_get_worker-HDR-003 | PASS | Header Injection HDR-003 → workers_get_worker | No CRLF reflection detected for Double-encoded CRLF on 'workers_get_worker'. | 1123ms |
| T28-TOOL-workers_get_worker-HDR-004 | PASS | Header Injection HDR-004 → workers_get_worker | No CRLF reflection detected for Content-Length smuggling on 'workers_get_worker'. | 1183ms |
| T28-TOOL-workers_get_worker-HDR-005 | PASS | Header Injection HDR-005 → workers_get_worker | No CRLF reflection detected for Unicode newline on 'workers_get_worker'. | 1027ms |
| T28-TOOL-workers_get_worker_c-HDR-001 | PASS | Header Injection HDR-001 → workers_get_worker_code | No CRLF reflection detected for Classic CRLF + header on 'workers_get_worker_code'. | 1233ms |
| T28-TOOL-workers_get_worker_c-HDR-002 | PASS | Header Injection HDR-002 → workers_get_worker_code | No CRLF reflection detected for URL-encoded CRLF on 'workers_get_worker_code'. | 1024ms |
| T28-TOOL-workers_get_worker_c-HDR-003 | PASS | Header Injection HDR-003 → workers_get_worker_code | No CRLF reflection detected for Double-encoded CRLF on 'workers_get_worker_code'. | 1013ms |
| T28-TOOL-workers_get_worker_c-HDR-004 | PASS | Header Injection HDR-004 → workers_get_worker_code | No CRLF reflection detected for Content-Length smuggling on 'workers_get_worker_code'. | 1651ms |
| T28-TOOL-workers_get_worker_c-HDR-005 | PASS | Header Injection HDR-005 → workers_get_worker_code | No CRLF reflection detected for Unicode newline on 'workers_get_worker_code'. | 1191ms |
| T29-001 | PASS | ReDoS — Summary | No ReDoS signatures across 3 probed tool(s). | 29412ms |
| T29-TOOL-search_cloudflare_do-RD-001 | PASS | ReDoS RD-001 → search_cloudflare_documentation | No ReDoS signature: baseline 2843ms, attack 2361ms, ratio 0.8×. | 2361ms |
| T29-TOOL-search_cloudflare_do-RD-002 | PASS | ReDoS RD-002 → search_cloudflare_documentation | No ReDoS signature: baseline 2843ms, attack 2737ms, ratio 1.0×. | 2737ms |
| T29-TOOL-search_cloudflare_do-RD-003 | PASS | ReDoS RD-003 → search_cloudflare_documentation | No ReDoS signature: baseline 2843ms, attack 2425ms, ratio 0.9×. | 2425ms |
| T29-TOOL-search_cloudflare_do-RD-004 | PASS | ReDoS RD-004 → search_cloudflare_documentation | No ReDoS signature: baseline 2843ms, attack 2330ms, ratio 0.8×. | 2330ms |
| T29-TOOL-search_cloudflare_do-RD-005 | PASS | ReDoS RD-005 → search_cloudflare_documentation | No ReDoS signature: baseline 2843ms, attack 2085ms, ratio 0.7×. | 2085ms |
| T29-TOOL-workers_get_worker-RD-001 | PASS | ReDoS RD-001 → workers_get_worker | No ReDoS signature: baseline 1041ms, attack 2768ms, ratio 2.7×. | 2768ms |
| T29-TOOL-workers_get_worker-RD-002 | PASS | ReDoS RD-002 → workers_get_worker | No ReDoS signature: baseline 1041ms, attack 1056ms, ratio 1.0×. | 1056ms |
| T29-TOOL-workers_get_worker-RD-003 | PASS | ReDoS RD-003 → workers_get_worker | No ReDoS signature: baseline 1041ms, attack 1102ms, ratio 1.1×. | 1102ms |
| T29-TOOL-workers_get_worker-RD-004 | PASS | ReDoS RD-004 → workers_get_worker | No ReDoS signature: baseline 1041ms, attack 1061ms, ratio 1.0×. | 1061ms |
| T29-TOOL-workers_get_worker-RD-005 | PASS | ReDoS RD-005 → workers_get_worker | No ReDoS signature: baseline 1041ms, attack 1304ms, ratio 1.3×. | 1304ms |
| T29-TOOL-workers_get_worker_c-RD-001 | PASS | ReDoS RD-001 → workers_get_worker_code | No ReDoS signature: baseline 1066ms, attack 916ms, ratio 0.9×. | 916ms |
| T29-TOOL-workers_get_worker_c-RD-002 | PASS | ReDoS RD-002 → workers_get_worker_code | No ReDoS signature: baseline 1066ms, attack 1160ms, ratio 1.1×. | 1160ms |
| T29-TOOL-workers_get_worker_c-RD-003 | PASS | ReDoS RD-003 → workers_get_worker_code | No ReDoS signature: baseline 1066ms, attack 993ms, ratio 0.9×. | 993ms |
| T29-TOOL-workers_get_worker_c-RD-004 | PASS | ReDoS RD-004 → workers_get_worker_code | No ReDoS signature: baseline 1066ms, attack 956ms, ratio 0.9×. | 956ms |
| T29-TOOL-workers_get_worker_c-RD-005 | PASS | ReDoS RD-005 → workers_get_worker_code | No ReDoS signature: baseline 1066ms, attack 1067ms, ratio 1.0×. | 1067ms |
| T30-099 | PASS | OAuth Flow Abuse — Summary | Server does not advertise OAuth flow; all probes skipped. | 1214ms |
| DISCOVERY · 8 tests | ||||
| T01-001 | INFO | Server Identity |
Server did not advertise: name, version. Got name='unknown' version='unknown' protocol='unknown'.
Remediation:
Ensure the MCP server returns a populated 'serverInfo' object in its initialize response (name and version fields). |
0ms |
| T01-002 | PASS | Tool Enumeration |
Discovered 9 tool(s): accounts_list, workers_list, workers_get_worker, workers_get_worker_code, query_worker_observabili…accounts_list: 'List all accounts in your Cloudflare account'
workers_list: 'List all Workers in your Cloudflare account.\n\nIf you only need details of a sing'
workers_get_worker: 'Get the details of the Cloudflare Worker.'
workers_get_worker_code: 'Get the source code of a Cloudflare Worker. Note: This may be a bundled version '
query_worker_observability: 'Query the Workers Observability API to analyze logs and metrics from your Cloudf'
observability_keys: 'Find keys in the Workers Observability Data\n\n## Best Practices\n- Set a high limi'
observability_values: 'Find values in the Workers Observability Data.\n\n## Troubleshooting\n- For no resu'
search_cloudflare_documentation: 'Search the Cloudflare documentation.\n\n\t\tThis tool should be used to answer any q'
migrate_pages_to_workers_guide: 'ALWAYS read this guide before migrating Pages projects to Workers.'
|
0ms |
| T01-003 | PASS | Resource Enumeration | Discovered 0 resource(s). | 0ms |
| T01-004 | PASS | Prompt Enumeration |
Discovered 1 prompt(s): workers-prompt-full.workers-prompt-full: 'Detailed prompt for generating Cloudflare Workers code (and other developer plat' (0 arg(s))
|
0ms |
| T01-005 | PASS | Tool Description Completeness | All 9 tool(s) have non-empty descriptions. | 0ms |
| T01-006 | PASS | Tool Schema Validity | All 9 tool(s) have valid JSON Schema inputSchema. | 0ms |
| T01-007 | PASS | Duplicate Tool Names | All 9 tool name(s) are unique. | 0ms |
| T01-008 | PASS | Tool Description Length | All 9 tool description(s) are within the 2,000-character limit. | 0ms |
| SCHEMA · 20 tests | ||||
| T06-004 | INFO | Return Type Consistency | No tools returned comparable JSON responses — consistency check not applicable. | 0ms |
| T06-006-workers_get_worker | INFO | Description Quality: workers_get_worker |
Tool 'workers_get_worker' description does not mention its parameters (scriptName).Description: 'Get the details of the Cloudflare Worker.'
Tool has 1 parameter(s) but the description contains no parameter documentation signals.
Remediation:
Include a brief description of each parameter in the tool's description so LLMs can construct valid calls. Example: 'Accepts: query (string) - the search query.' |
0ms |
| T06-006-workers_get_worker_code | INFO | Description Quality: workers_get_worker_code |
Tool 'workers_get_worker_code' description does not mention its parameters (scriptName).Description: 'Get the source code of a Cloudflare Worker. Note: This may be a bundled version of the worker.'
Tool has 1 parameter(s) but the description contains no parameter documentation signals.
Remediation:
Include a brief description of each parameter in the tool's description so LLMs can construct valid calls. Example: 'Accepts: query (string) - the search query.' |
0ms |
| T06-001 | PASS | Schema Structural Validity | All 9 tool inputSchema(s) are structurally valid. | 0ms |
| T06-002-observability_keys | PASS | Required Enforcement: observability_keys |
Tool 'observability_keys' correctly raised an error when called with missing required fields.McpError: MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"keysQuery"
],
"me
|
804ms |
| T06-002-observability_values | PASS | Required Enforcement: observability_values |
Tool 'observability_values' correctly raised an error when called with missing required fields.McpError: MCP error -32602: Invalid arguments for tool observability_values: [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"valuesQuery"
],
|
804ms |
| T06-002-query_worker_observability | PASS | Required Enforcement: query_worker_observability |
Tool 'query_worker_observability' correctly raised an error when called with missing required fields.McpError: MCP error -32602: Invalid arguments for tool query_worker_observability: [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"query"
],
|
723ms |
| T06-002-search_cloudflare_documentation | PASS | Required Enforcement: search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' correctly raised an error when called with missing required fields.McpError: MCP error -32602: Invalid arguments for tool search_cloudflare_documentation: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"query"
]
|
798ms |
| T06-002-workers_get_worker | PASS | Required Enforcement: workers_get_worker |
Tool 'workers_get_worker' correctly raised an error when called with missing required fields.McpError: MCP error -32602: Invalid arguments for tool workers_get_worker: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"scriptName"
],
"m
|
787ms |
| T06-002-workers_get_worker_code | PASS | Required Enforcement: workers_get_worker_code |
Tool 'workers_get_worker_code' correctly raised an error when called with missing required fields.McpError: MCP error -32602: Invalid arguments for tool workers_get_worker_code: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"scriptName"
],
|
760ms |
| T06-003 | PASS | additionalProperties Strictness | All 9 tool(s) have 'additionalProperties': false. | 0ms |
| T06-005 | PASS | Overly Permissive Schema Detection | All 9 tool schema(s) are acceptably strict. | 0ms |
| T06-006-accounts_list | PASS | Description Quality: accounts_list |
Tool 'accounts_list' has an adequate description (44 chars).Description: 'List all accounts in your Cloudflare account'
|
0ms |
| T06-006-migrate_pages_to_workers_guide | PASS | Description Quality: migrate_pages_to_workers_guide |
Tool 'migrate_pages_to_workers_guide' has an adequate description (66 chars).Description: 'ALWAYS read this guide before migrating Pages projects to Workers.'
|
0ms |
| T06-006-observability_keys | PASS | Description Quality: observability_keys |
Tool 'observability_keys' has an adequate description (344 chars).Description: 'Find keys in the Workers Observability Data\n\n## Best Practices\n- Set a high limit (1000+) to ensure you see all available keys\n- Add the $metadata.service filter to narrow results to a specific Worker'
|
0ms |
| T06-006-observability_values | PASS | Description Quality: observability_values |
Tool 'observability_values' has an adequate description (204 chars).Description: 'Find values in the Workers Observability Data.\n\n## Troubleshooting\n- For no results, verify the field exists using observability_keys first\n- If expected values are missing, try broadening your time r'
|
0ms |
| T06-006-query_worker_observability | PASS | Description Quality: query_worker_observability |
Tool 'query_worker_observability' has an adequate description (1001 chars).Description: 'Query the Workers Observability API to analyze logs and metrics from your Cloudflare Workers.\n\n\t* A query typical query looks like this:\n\t\t\t\t{"view":"events","queryId":"workers-logs-events","limit":5,'
|
0ms |
| T06-006-search_cloudflare_documentation | PASS | Description Quality: search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' has an adequate description (541 chars).Description: 'Search the Cloudflare documentation.\n\n\t\tThis tool should be used to answer any question about Cloudflare products or features, including:\n\t\t- Workers, Pages, R2, Images, Stream, D1, Durable Objects, K'
|
0ms |
| T06-006-workers_list | PASS | Description Quality: workers_list |
Tool 'workers_list' has an adequate description (114 chars).Description: 'List all Workers in your Cloudflare account.\n\nIf you only need details of a single Worker, use workers_get_worker.'
|
0ms |
| T16-003 | PASS | Tool Schema Required-Field Drift | No required-field drift detected. | 0ms |
| PERFORMANCE · 20 tests | ||||
| T00-003 | INFO | Connection Closed Mid-Scan (Rate Limit / Server Reset) |
The HTTP server closed the connection mid-scan. This is expected behaviour for production servers that apply rate-limiti…Unexpected HTTP/SSE transport error: HTTPStatusError: Client error '400 Bad Request' for url 'https://observability.mcp.cloudflare.com/mcp'
For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/400 (caused by ExceptionGroup: unhandled errors in a TaskGroup (1 sub-exception))
Remediation:
Re-run with --no-load to skip T05 load tests and reduce the number of requests sent to the server. The connection drop does not indicate a vulnerability. |
481380ms |
| T08-001-05 | INFO | Baseline Latency: query_worker_observability |
Tool 'query_worker_observability' requires valid credentials or real parameters — latency probe skipped (API rejection, …McpError: MCP error -32602: Invalid arguments for tool query_worker_observability: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"query",
"queryId"
],
"message": "Required"
},
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"query",
"parameters"
],
"message": "Required"
},
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"query",
"timeframe"
],
"message": "Required"
}
],
"name": "ZodError"
},
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"query",
"timeframe"
],
"message": "Required"
}
],
"name": "ZodError"
}
],
"path": [
"query",
"timeframe"
],
"message": "Invalid input"
}
]
McpError: MCP error -32602: Invalid arguments for tool query_worker_observability: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"query",
"queryId"
],
"message": "Required"
},
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"query",
"parameters"
],
"message": "Required"
},
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"query",
"timeframe"
],
"message": "Required"
}
…
|
9176ms |
| T08-001-06 | INFO | Baseline Latency: observability_keys |
Tool 'observability_keys' requires valid credentials or real parameters — latency probe skipped (API rejection, not a se…McpError: MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"keysQuery",
"timeframe"
],
"message": "Required"
}
],
"name": "ZodError"
},
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"keysQuery",
"timeframe"
],
"message": "Required"
}
],
"name": "ZodError"
}
],
"path": [
"keysQuery",
"timeframe"
],
"message": "Invalid input"
}
]
McpError: MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"keysQuery",
"timeframe"
],
"message": "Required"
}
],
"name": "ZodError"
},
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"keysQuery",
"timeframe"
],
"message": "Required"
}
],
"name": "ZodError"
}
],
"path": [
"keysQuery",
"timeframe"
],
"message": "Invalid input"
}
]
McpError: MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
…
|
4277ms |
| T08-001-07 | INFO | Baseline Latency: observability_values |
Tool 'observability_values' requires valid credentials or real parameters — latency probe skipped (API rejection, not a …McpError: MCP error -32602: Invalid arguments for tool observability_values: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"valuesQuery",
"key"
],
"message": "Required"
},
{
"expected": "'string' | 'boolean' | 'number'",
"received": "undefined",
"code": "invalid_type",
"path": [
"valuesQuery",
"type"
],
"message": "Required"
},
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"valuesQuery",
"timeframe"
],
"message": "Required"
}
],
"name": "ZodError"
},
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"valuesQuery",
"timeframe"
],
"message": "Required"
}
],
"name": "ZodError"
}
],
"path": [
"valuesQuery",
"timeframe"
],
"message": "Invalid input"
}
]
McpError: MCP error -32602: Invalid arguments for tool observability_values: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"valuesQuery",
"key"
],
"message": "Required"
},
{
"expected": "'string' | 'boolean' | 'number'",
"received": "undefined",
"code": "invalid_type",
"path": [
"valuesQuery",
"type"
],
"message": "Required"
},
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"valuesQuery",
"timeframe"
…
|
4950ms |
| T08-003-00 | INFO | Resource Read Latency | No resources to benchmark. | 0ms |
| T05-001 | PASS | 10 Simultaneous Calls |
All 10 concurrent calls to 'accounts_list' succeeded with no data leakage.min=1109ms mean=1265ms max=1474ms
|
1787ms |
| T05-002 | PASS | 50 Sequential Rapid Calls |
p50=1300ms p95=2397ms p99=3686ms{
"tool": "accounts_list",
"calls": 50,
"errors": 0,
"min_ms": 966.81,
"mean_ms": 1439.22,
"max_ms": 3685.94,
"p50_ms": 1299.71,
"p95_ms": 2397.2,
"p99_ms": 3685.94
}
|
71961ms |
| T05-003 | PASS | 100 Concurrent Calls (Stress Test) |
All 100 calls succeeded. Throughput: 7.7 calls/secThroughput: 7.7 calls/sec
|
12937ms |
| T05-004 | PASS | Connection Stability Under Rapid Reconnect |
Tool list consistent across all 5 reconnects: ['accounts_list', 'migrate_pages_to_workers_guide', 'observability_keys', …Reconnects: 5. Tools per connect: 9.
|
51977ms |
| T08-001-01 | PASS | Baseline Latency: accounts_list |
Tool 'accounts_list': mean=1370ms min=1284ms max=1575ms (5 samples).{
"accounts_list": {
"mean_ms": 1369.6,
"min_ms": 1284.28,
"max_ms": 1575.14,
"samples": [
1284.28,
1295.74,
1384.72,
1575.14,
1308.14
]
}
}
|
6848ms |
| T08-001-02 | PASS | Baseline Latency: workers_list |
Tool 'workers_list': mean=1153ms min=932ms max=1540ms (5 samples).{
"workers_list": {
"mean_ms": 1153.13,
"min_ms": 932.0,
"max_ms": 1539.85,
"samples": [
1070.87,
1539.85,
1216.56,
1006.37,
932.0
]
}
}
|
5766ms |
| T08-001-03 | PASS | Baseline Latency: workers_get_worker |
Tool 'workers_get_worker': mean=1114ms min=921ms max=1400ms (5 samples).{
"workers_get_worker": {
"mean_ms": 1114.16,
"min_ms": 920.91,
"max_ms": 1400.15,
"samples": [
1145.48,
1400.15,
939.49,
920.91,
1164.75
]
}
}
|
5571ms |
| T08-001-04 | PASS | Baseline Latency: workers_get_worker_code |
Tool 'workers_get_worker_code': mean=1199ms min=955ms max=1418ms (5 samples).{
"workers_get_worker_code": {
"mean_ms": 1198.85,
"min_ms": 955.24,
"max_ms": 1418.28,
"samples": [
1413.77,
955.24,
1418.28,
1104.83,
1102.11
]
}
}
|
5994ms |
| T08-001-08 | PASS | Baseline Latency: search_cloudflare_documentation |
Tool 'search_cloudflare_documentation': mean=2350ms min=1931ms max=2917ms (5 samples).{
"search_cloudflare_documentation": {
"mean_ms": 2350.34,
"min_ms": 1931.38,
"max_ms": 2917.46,
"samples": [
2917.46,
2585.07,
2107.91,
2209.91,
1931.38
]
}
}
|
11752ms |
| T08-001-09 | PASS | Baseline Latency: migrate_pages_to_workers_guide |
Tool 'migrate_pages_to_workers_guide': mean=1105ms min=759ms max=1722ms (5 samples).{
"migrate_pages_to_workers_guide": {
"mean_ms": 1105.14,
"min_ms": 758.66,
"max_ms": 1721.87,
"samples": [
1131.2,
1721.87,
758.66,
1033.48,
880.5
]
}
}
|
5526ms |
| T08-002 | PASS | Tool Discovery Latency |
list_tools() mean=867ms min=783ms max=974ms.{
"list_tools": {
"mean_ms": 866.87,
"min_ms": 782.89,
"max_ms": 974.4,
"samples": [
826.05,
784.14,
966.87,
782.89,
974.4
]
}
}
|
4334ms |
| T08-004 | PASS | Cold Start Detection |
No significant cold-start penalty detected (ratio 0.8×, threshold 10×).Call 1 (cold): 1204ms
Calls 2-5 (warm): 1819ms, 1738ms, 1522ms, 1300ms
Warm mean: 1595ms Ratio: 0.8×
|
7584ms |
| T20-001 | PASS | Response-Size Drift | Response sizes stable (155→155 bytes, ratio 1.00×). | 48190ms |
| T20-002 | PASS | Latency Drift | Latency stable (1254.7→1152.1ms, ratio 0.92×). | 48190ms |
| T20-004 | PASS | Memory Leak — Summary | No memory growth signals over 40 probe calls. | 48190ms |