MCP Server Security & Performance Analysis — v0.2.0
| Test ID | Severity | Test Name | Description / Details | Duration |
|---|---|---|---|---|
| SECURITY · 153 tests | ||||
| T04-001 | MEDIUM | Rug Pull Detection (Mutation Check) |
1 tool description(s) grew between two consecutive list_tools() calls (3 s apart). Descriptions only extended — likely C…Tool 'query_worker_observability' description CHANGED at char 1000:
Length: 1001 → 1603 chars (grew)
BEFORE[920:1001]: 'ore applying filters, use the observability_keys and observability_values tools …'
AFTER [920:1160]: 'ore applying filters, use the observability_keys and observability_values tools to confirm available filter fields and the correct filter value to add unless you have the data in a response from a previous query.\n- Common filter fields: $m'
Remediation:
Tool descriptions should be fully materialized at startup. If descriptions grow between calls, clients may make tool-use decisions based on incomplete instructions. Ensure list_tools() always returns the full, stable description. |
4891ms |
| T04-003 | LOW | Cross-Tool Reference Detection |
Found 4 cross-tool reference(s) in tool descriptions — server uses chained workflow guidance. Verify no sensitive data i… Tool 'workers_list' description references 'workers_get_worker'
Tool 'query_worker_observability' description references 'observability_keys'
Tool 'query_worker_observability' description references 'observability_values'
Tool 'observability_values' description references 'observability_keys'
Remediation:
Cross-tool references in descriptions are common in multi-step APIs and are not inherently malicious. Review each reference to confirm it describes legitimate workflow guidance (e.g. 'call tool X first to discover available values') rather than parasitic data exfiltration (e.g. 'silently forward results to tool Y'). Tool descriptions must describe only the tool's own behaviour. References to other tool names in a description can trick LLMs into invoking them as a silent side-effect, creating an unaudited tool chain. |
1ms |
| T09-TOOL-observability_keys | INFO | Output Sanitization → observability_keys |
Tool 'observability_keys' rejected probe (auth or param requirements).MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
|
784ms |
| T09-TOOL-observability_values | INFO | Output Sanitization → observability_values |
Tool 'observability_values' rejected probe (auth or param requirements).MCP error -32602: Invalid arguments for tool observability_values: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"valuesQuery",
"key"
],
"message": "Required"
},
{
"expected": "'string' | 'boolean' | 'number'",
|
1074ms |
| T09-TOOL-query_worker_observability | INFO | Output Sanitization → query_worker_observability |
Tool 'query_worker_observability' rejected probe (auth or param requirements).MCP error -32602: Invalid arguments for tool query_worker_observability: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"query",
"queryId"
],
"message": "Required"
},
{
"code": "invalid_type",
"expected": "object
|
1121ms |
| T13-002 | INFO | Unsolicited Sampling Requests | MCP client SDK does not expose an incoming-request hook; unsolicited sampling detection relies on capability audit (T13-001). | 5328ms |
| T17-002 | INFO | Description Fingerprint Inventory |
Catalogued 10 SHA-256 description fingerprints. Use `mcpsafe compare` to detect drift across scans.tool:accounts_list = 5b092e5b13d398591a90b88732d161edee087e873329800d526898fcc97efc55
tool:workers_list = 40b94ea10490da2fe37812d2af477258fd99d33f932476d55c2e5ed9986a176b
tool:workers_get_worker = 5a3d286bf48d31d954354e821dd297ee5eb7d691b2931a4ee07192888a364f1b
tool:workers_get_worker_code = 8ac90fec2b98bbabab81fec21c60ec50077c558cec980da4555f8767bf3a904f
tool:query_worker_observability = 7af12e09a11ef1ce58e4082b1c5032adccce4c4e84246cb97e3978afcfe0c706
tool:observability_keys = 083d0de606c7edc1b5296e776713eeea85cfd623459e3c4cf109b622507fc235
tool:observability_values = 6f7716f7694ef1b9dc4c8be5b03b8e74158dd2f6228b572a280bcc7448155ea1
tool:search_cloudflare_documentation = fb5bf70a271f9ccaf9062c13f058b203e21fe88ee413284e495d9035eb2c7513
tool:migrate_pages_to_workers_guide = fc1b50a88c58bc18d7add334587e6d1624d0b88357cd88486ea9bd6f1be37808
prompt:workers-prompt-full = 07abf707ebcefee88382f79d897d6044c2bbd61df9689f3592e599d9154c42b3
|
0ms |
| T18-001 | INFO | SSRF — Summary | Server does not expose resources/read; SSRF probes skipped. | 0ms |
| T02-search_cloudflare_documentation-PI-001 | PASS | Injection PI-001 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-001 (Classic override) gracefully.Response excerpt: '<result>\n<url>https://developers.cloudflare.com/https://developers.cloudflare.com/waf/detections/ai-security-for-apps/prompt-injection/</url>\n<title></title>\n<text>\n### Why a score instead of a boolea'
|
3380ms |
| T02-search_cloudflare_documentation-PI-002 | PASS | Injection PI-002 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-002 (Newline injection) gracefully.Response excerpt: '<result>\n<url>https://developers.cloudflare.com/https://developers.cloudflare.com/ai-search/configuration/system-prompt/</url>\n<title></title>\n<text>\n# System prompt\n\nSystem prompts allow you to guide'
|
2135ms |
| T02-search_cloudflare_documentation-PI-003 | PASS | Injection PI-003 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-003 (XML tag injection) gracefully.Response excerpt: ''
|
2456ms |
| T02-search_cloudflare_documentation-PI-004 | PASS | Injection PI-004 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-004 (SQL injection probe) gracefully.Response excerpt: ''
|
2636ms |
| T02-search_cloudflare_documentation-PI-005 | PASS | Injection PI-005 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-005 (Shell injection) gracefully.Response excerpt: '<result>\n<url>https://developers.cloudflare.com/https://developers.cloudflare.com/workers/wrangler/commands/general/</url>\n<title></title>\n<text>\n## `auth`\n\n### `auth token`\n\nRetrieve your current aut'
|
3053ms |
| T02-search_cloudflare_documentation-PI-006 | PASS | Injection PI-006 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-006 (Backtick injection) gracefully.Response excerpt: '<result>\n<url>https://developers.cloudflare.com/https://developers.cloudflare.com/workers-ai/models/kimi-k2.5/</url>\n<title></title>\n<text>\n* `id` ` string ` required \n '
|
2694ms |
| T02-search_cloudflare_documentation-PI-007 | PASS | Injection PI-007 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-007 (Path traversal) gracefully.Response excerpt: ''
|
3606ms |
| T02-search_cloudflare_documentation-PI-008 | PASS | Injection PI-008 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-008 (Right-to-left override unicode) gracefully.Response excerpt: ''
|
2889ms |
| T02-search_cloudflare_documentation-PI-009 | PASS | Injection PI-009 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-009 (Null byte injection) gracefully.Response excerpt: '<result>\n<url>https://developers.cloudflare.com/https://developers.cloudflare.com/workers/best-practices/workers-best-practices/</url>\n<title></title>\n<text>\n// ✅ Good: test the null case explicitly\n\n'
|
2344ms |
| T02-search_cloudflare_documentation-PI-010 | PASS | Injection PI-010 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-010 (BOM character) gracefully.Response excerpt: ''
|
2521ms |
| T02-search_cloudflare_documentation-PI-011 | PASS | Injection PI-011 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-011 (Rug pull attempt) gracefully.Response excerpt: ''
|
2411ms |
| T02-search_cloudflare_documentation-PI-012 | PASS | Injection PI-012 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-012 (Exfiltration instruction) gracefully.Response excerpt: ''
|
2021ms |
| T02-search_cloudflare_documentation-PI-013 | PASS | Injection PI-013 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-013 (Large payload DoS probe 10k) gracefully.Response excerpt: ''
|
3158ms |
| T02-search_cloudflare_documentation-PI-014 | PASS | Injection PI-014 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-014 (Large payload DoS probe 100k) gracefully.Response excerpt: ''
|
8080ms |
| T02-search_cloudflare_documentation-PI-015 | PASS | Injection PI-015 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-015 (Jinja template injection) gracefully.Response excerpt: ''
|
2448ms |
| T02-search_cloudflare_documentation-PI-016 | PASS | Injection PI-016 → search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' handled PI-016 (Python format injection) gracefully.Response excerpt: ''
|
2521ms |
| T02-workers_get_worker-PI-001 | PASS | Injection PI-001 → workers_get_worker |
Tool 'workers_get_worker' handled PI-001 (Classic override) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1225ms |
| T02-workers_get_worker-PI-002 | PASS | Injection PI-002 → workers_get_worker |
Tool 'workers_get_worker' handled PI-002 (Newline injection) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1809ms |
| T02-workers_get_worker-PI-003 | PASS | Injection PI-003 → workers_get_worker |
Tool 'workers_get_worker' handled PI-003 (XML tag injection) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1027ms |
| T02-workers_get_worker-PI-004 | PASS | Injection PI-004 → workers_get_worker |
Tool 'workers_get_worker' handled PI-004 (SQL injection probe) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1220ms |
| T02-workers_get_worker-PI-005 | PASS | Injection PI-005 → workers_get_worker |
Tool 'workers_get_worker' handled PI-005 (Shell injection) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
976ms |
| T02-workers_get_worker-PI-006 | PASS | Injection PI-006 → workers_get_worker |
Tool 'workers_get_worker' handled PI-006 (Backtick injection) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1183ms |
| T02-workers_get_worker-PI-007 | PASS | Injection PI-007 → workers_get_worker |
Tool 'workers_get_worker' handled PI-007 (Path traversal) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
783ms |
| T02-workers_get_worker-PI-008 | PASS | Injection PI-008 → workers_get_worker |
Tool 'workers_get_worker' handled PI-008 (Right-to-left override unicode) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1019ms |
| T02-workers_get_worker-PI-009 | PASS | Injection PI-009 → workers_get_worker |
Tool 'workers_get_worker' handled PI-009 (Null byte injection) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
753ms |
| T02-workers_get_worker-PI-010 | PASS | Injection PI-010 → workers_get_worker |
Tool 'workers_get_worker' handled PI-010 (BOM character) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1137ms |
| T02-workers_get_worker-PI-011 | PASS | Injection PI-011 → workers_get_worker |
Tool 'workers_get_worker' handled PI-011 (Rug pull attempt) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1234ms |
| T02-workers_get_worker-PI-012 | PASS | Injection PI-012 → workers_get_worker |
Tool 'workers_get_worker' handled PI-012 (Exfiltration instruction) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
937ms |
| T02-workers_get_worker-PI-013 | PASS | Injection PI-013 → workers_get_worker |
Tool 'workers_get_worker' handled PI-013 (Large payload DoS probe 10k) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1281ms |
| T02-workers_get_worker-PI-014 | PASS | Injection PI-014 → workers_get_worker |
Tool 'workers_get_worker' handled PI-014 (Large payload DoS probe 100k) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1028ms |
| T02-workers_get_worker-PI-015 | PASS | Injection PI-015 → workers_get_worker |
Tool 'workers_get_worker' handled PI-015 (Jinja template injection) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1398ms |
| T02-workers_get_worker-PI-016 | PASS | Injection PI-016 → workers_get_worker |
Tool 'workers_get_worker' handled PI-016 (Python format injection) gracefully.Response excerpt: 'Error retrieving worker script: Cloudflare API request failed'
|
1357ms |
| T02-workers_get_worker_code-PI-001 | PASS | Injection PI-001 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-001 (Classic override) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
2017ms |
| T02-workers_get_worker_code-PI-002 | PASS | Injection PI-002 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-002 (Newline injection) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
1256ms |
| T02-workers_get_worker_code-PI-003 | PASS | Injection PI-003 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-003 (XML tag injection) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
1366ms |
| T02-workers_get_worker_code-PI-004 | PASS | Injection PI-004 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-004 (SQL injection probe) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
977ms |
| T02-workers_get_worker_code-PI-005 | PASS | Injection PI-005 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-005 (Shell injection) gracefully.Response excerpt: 'Error retrieving worker script: 403 <!DOCTYPE html>\n<!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->\n<!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--'
|
722ms |
| T02-workers_get_worker_code-PI-006 | PASS | Injection PI-006 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-006 (Backtick injection) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
1410ms |
| T02-workers_get_worker_code-PI-007 | PASS | Injection PI-007 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-007 (Path traversal) gracefully.Response excerpt: 'Error retrieving worker script: 404 {"result":null,"success":false,"errors":[{"code":7003,"message":"Could not route to /client/v4/accounts/etc/passwd, perhaps your object identifier is invalid?"}],"m'
|
1232ms |
| T02-workers_get_worker_code-PI-008 | PASS | Injection PI-008 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-008 (Right-to-left override unicode) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
1516ms |
| T02-workers_get_worker_code-PI-009 | PASS | Injection PI-009 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-009 (Null byte injection) gracefully.Response excerpt: 'Error retrieving worker script: 400 <html>\r\n<head><title>400 Bad Request</title></head>\r\n<body>\r\n<center><h1>400 Bad Request</h1></center>\r\n<hr><center>cloudflare</center>\r\n</body>\r\n</html>\r\n'
|
710ms |
| T02-workers_get_worker_code-PI-010 | PASS | Injection PI-010 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-010 (BOM character) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
1488ms |
| T02-workers_get_worker_code-PI-011 | PASS | Injection PI-011 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-011 (Rug pull attempt) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
2282ms |
| T02-workers_get_worker_code-PI-012 | PASS | Injection PI-012 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-012 (Exfiltration instruction) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
3559ms |
| T02-workers_get_worker_code-PI-013 | PASS | Injection PI-013 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-013 (Large payload DoS probe 10k) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
1168ms |
| T02-workers_get_worker_code-PI-014 | PASS | Injection PI-014 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-014 (Large payload DoS probe 100k) gracefully.Response excerpt: 'Error retrieving worker script: 400 error code: 1036'
|
1156ms |
| T02-workers_get_worker_code-PI-015 | PASS | Injection PI-015 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-015 (Jinja template injection) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
1298ms |
| T02-workers_get_worker_code-PI-016 | PASS | Injection PI-016 → workers_get_worker_code |
Tool 'workers_get_worker_code' handled PI-016 (Python format injection) gracefully.Response excerpt: 'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}'
|
1118ms |
| T03-03-scriptname-FUZZ-STR-001 | PASS | Fuzz FUZZ-STR-001 → workers_get_worker.scriptName |
Tool 'workers_get_worker' handled FUZZ-STR-001 (empty string) on param 'scriptName' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='Error retrieving worker script: Cloudflare API request failed', annotations=None, meta=None)] structuredContent=None isError=False"
|
1224ms |
| T03-03-scriptname-FUZZ-STR-002 | PASS | Fuzz FUZZ-STR-002 → workers_get_worker.scriptName |
Tool 'workers_get_worker' handled FUZZ-STR-002 (single space) on param 'scriptName' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='Error retrieving worker script: Cloudflare API request failed', annotations=None, meta=None)] structuredContent=None isError=False"
|
1216ms |
| T03-03-scriptname-FUZZ-STR-003 | PASS | Fuzz FUZZ-STR-003 → workers_get_worker.scriptName |
Tool 'workers_get_worker' handled FUZZ-STR-003 (whitespace only) on param 'scriptName' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='Error retrieving worker script: Cloudflare API request failed', annotations=None, meta=None)] structuredContent=None isError=False"
|
1281ms |
| T03-03-scriptname-FUZZ-STR-004 | PASS | Fuzz FUZZ-STR-004 → workers_get_worker.scriptName |
Tool 'workers_get_worker' returned a structured error for FUZZ-STR-004 (null value) on param 'scriptName' — handled grac…McpError: MCP error -32602: Invalid arguments for tool workers_get_worker: [
{
"code": "invalid_type",
"expected": "string",
"received": "null",
"path": [
"scriptName"
],
"message": "Expected string, received null"
}
]
|
1398ms |
| T03-03-scriptname-FUZZ-STR-005 | PASS | Fuzz FUZZ-STR-005 → workers_get_worker.scriptName |
Tool 'workers_get_worker' returned a structured error for FUZZ-STR-005 (integer as string field) on param 'scriptName' —…McpError: MCP error -32602: Invalid arguments for tool workers_get_worker: [
{
"code": "invalid_type",
"expected": "string",
"received": "number",
"path": [
"scriptName"
],
"message": "Expected string, received number"
}
]
|
977ms |
| T03-03-scriptname-FUZZ-STR-006 | PASS | Fuzz FUZZ-STR-006 → workers_get_worker.scriptName |
Tool 'workers_get_worker' returned a structured error for FUZZ-STR-006 (boolean as string field) on param 'scriptName' —…McpError: MCP error -32602: Invalid arguments for tool workers_get_worker: [
{
"code": "invalid_type",
"expected": "string",
"received": "boolean",
"path": [
"scriptName"
],
"message": "Expected string, received boolean"
}
]
|
995ms |
| T03-03-scriptname-FUZZ-STR-007 | PASS | Fuzz FUZZ-STR-007 → workers_get_worker.scriptName |
Tool 'workers_get_worker' returned a structured error for FUZZ-STR-007 (list as string field) on param 'scriptName' — ha…McpError: MCP error -32602: Invalid arguments for tool workers_get_worker: [
{
"code": "invalid_type",
"expected": "string",
"received": "array",
"path": [
"scriptName"
],
"message": "Expected string, received array"
}
]
|
741ms |
| T03-03-scriptname-FUZZ-STR-008 | PASS | Fuzz FUZZ-STR-008 → workers_get_worker.scriptName |
Tool 'workers_get_worker' returned a structured error for FUZZ-STR-008 (dict as string field) on param 'scriptName' — ha…McpError: MCP error -32602: Invalid arguments for tool workers_get_worker: [
{
"code": "invalid_type",
"expected": "string",
"received": "object",
"path": [
"scriptName"
],
"message": "Expected string, received object"
}
]
|
789ms |
| T03-03-scriptname-FUZZ-STR-009 | PASS | Fuzz FUZZ-STR-009 → workers_get_worker.scriptName |
Tool 'workers_get_worker' handled FUZZ-STR-009 (very long string 10k) on param 'scriptName' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='Error retrieving worker script: Cloudflare API request failed', annotations=None, meta=None)] structuredContent=None isError=False"
|
1298ms |
| T03-03-scriptname-FUZZ-STR-010 | PASS | Fuzz FUZZ-STR-010 → workers_get_worker.scriptName |
Tool 'workers_get_worker' handled FUZZ-STR-010 (newlines and tabs) on param 'scriptName' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='Error retrieving worker script: Cloudflare API request failed', annotations=None, meta=None)] structuredContent=None isError=False"
|
1250ms |
| T03-03-scriptname-FUZZ-STR-011 | PASS | Fuzz FUZZ-STR-011 → workers_get_worker.scriptName |
Tool 'workers_get_worker' handled FUZZ-STR-011 (null byte in string) on param 'scriptName' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='Error retrieving worker script: Cloudflare API request failed', annotations=None, meta=None)] structuredContent=None isError=False"
|
720ms |
| T03-03-scriptname-FUZZ-STR-012 | PASS | Fuzz FUZZ-STR-012 → workers_get_worker.scriptName |
Tool 'workers_get_worker' handled FUZZ-STR-012 (all unicode planes) on param 'scriptName' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='Error retrieving worker script: Cloudflare API request failed', annotations=None, meta=None)] structuredContent=None isError=False"
|
794ms |
| T03-04-scriptname-FUZZ-STR-001 | PASS | Fuzz FUZZ-STR-001 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' handled FUZZ-STR-001 (empty string) on param 'scriptName' correctly.Response excerpt: 'meta=None content=[TextContent(type=\'text\', text=\'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}\', annotat'
|
1278ms |
| T03-04-scriptname-FUZZ-STR-002 | PASS | Fuzz FUZZ-STR-002 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' handled FUZZ-STR-002 (single space) on param 'scriptName' correctly.Response excerpt: 'meta=None content=[TextContent(type=\'text\', text=\'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}\', annotat'
|
1328ms |
| T03-04-scriptname-FUZZ-STR-003 | PASS | Fuzz FUZZ-STR-003 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' handled FUZZ-STR-003 (whitespace only) on param 'scriptName' correctly.Response excerpt: 'meta=None content=[TextContent(type=\'text\', text=\'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}\', annotat'
|
1235ms |
| T03-04-scriptname-FUZZ-STR-004 | PASS | Fuzz FUZZ-STR-004 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' returned a structured error for FUZZ-STR-004 (null value) on param 'scriptName' — handled…McpError: MCP error -32602: Invalid arguments for tool workers_get_worker_code: [
{
"code": "invalid_type",
"expected": "string",
"received": "null",
"path": [
"scriptName"
],
"message": "Expected string, received null"
}
]
|
800ms |
| T03-04-scriptname-FUZZ-STR-005 | PASS | Fuzz FUZZ-STR-005 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' returned a structured error for FUZZ-STR-005 (integer as string field) on param 'scriptNa…McpError: MCP error -32602: Invalid arguments for tool workers_get_worker_code: [
{
"code": "invalid_type",
"expected": "string",
"received": "number",
"path": [
"scriptName"
],
"message": "Expected string, received number"
}
]
|
781ms |
| T03-04-scriptname-FUZZ-STR-006 | PASS | Fuzz FUZZ-STR-006 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' returned a structured error for FUZZ-STR-006 (boolean as string field) on param 'scriptNa…McpError: MCP error -32602: Invalid arguments for tool workers_get_worker_code: [
{
"code": "invalid_type",
"expected": "string",
"received": "boolean",
"path": [
"scriptName"
],
"message": "Expected string, received boolean"
}
]
|
766ms |
| T03-04-scriptname-FUZZ-STR-007 | PASS | Fuzz FUZZ-STR-007 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' returned a structured error for FUZZ-STR-007 (list as string field) on param 'scriptName'…McpError: MCP error -32602: Invalid arguments for tool workers_get_worker_code: [
{
"code": "invalid_type",
"expected": "string",
"received": "array",
"path": [
"scriptName"
],
"message": "Expected string, received array"
}
]
|
1070ms |
| T03-04-scriptname-FUZZ-STR-008 | PASS | Fuzz FUZZ-STR-008 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' returned a structured error for FUZZ-STR-008 (dict as string field) on param 'scriptName'…McpError: MCP error -32602: Invalid arguments for tool workers_get_worker_code: [
{
"code": "invalid_type",
"expected": "string",
"received": "object",
"path": [
"scriptName"
],
"message": "Expected string, received object"
}
]
|
882ms |
| T03-04-scriptname-FUZZ-STR-009 | PASS | Fuzz FUZZ-STR-009 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' handled FUZZ-STR-009 (very long string 10k) on param 'scriptName' correctly.Response excerpt: 'meta=None content=[TextContent(type=\'text\', text=\'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}\', annotat'
|
1391ms |
| T03-04-scriptname-FUZZ-STR-010 | PASS | Fuzz FUZZ-STR-010 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' handled FUZZ-STR-010 (newlines and tabs) on param 'scriptName' correctly.Response excerpt: 'meta=None content=[TextContent(type=\'text\', text=\'Error retrieving worker script: 403 {"success":false,"errors":[{"code":10000,"message":"Authentication error"}],"messages":[],"result":null}\', annotat'
|
1499ms |
| T03-04-scriptname-FUZZ-STR-011 | PASS | Fuzz FUZZ-STR-011 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' handled FUZZ-STR-011 (null byte in string) on param 'scriptName' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='Error retrieving worker script: 400 <html>\\r\\n<head><title>400 Bad Request</title></head>\\r\\n<body>\\r\\n<center><h1>400 Bad Request</h1></center>\\r\\n<h"
|
707ms |
| T03-04-scriptname-FUZZ-STR-012 | PASS | Fuzz FUZZ-STR-012 → workers_get_worker_code.scriptName |
Tool 'workers_get_worker_code' handled FUZZ-STR-012 (all unicode planes) on param 'scriptName' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='Error retrieving worker script: 400 <html>\\r\\n<head><title>400 Bad Request</title></head>\\r\\n<body>\\r\\n<center><h1>400 Bad Request</h1></center>\\r\\n<h"
|
808ms |
| T03-05-query-FUZZ-OBJ-001 | PASS | Fuzz FUZZ-OBJ-001 → query_worker_observability.query |
Tool 'query_worker_observability' returned a structured error for FUZZ-OBJ-001 (null as object) on param 'query' — handl…McpError: MCP error -32602: Invalid arguments for tool query_worker_observability: [
{
"code": "invalid_type",
"expected": "object",
"received": "null",
"path": [
"query"
],
"message": "Expected object, received null"
}
]
|
1030ms |
| T03-05-query-FUZZ-OBJ-002 | PASS | Fuzz FUZZ-OBJ-002 → query_worker_observability.query |
Tool 'query_worker_observability' returned a structured error for FUZZ-OBJ-002 (list as object) on param 'query' — handl…McpError: MCP error -32602: Invalid arguments for tool query_worker_observability: [
{
"code": "invalid_type",
"expected": "object",
"received": "array",
"path": [
"query"
],
"message": "Expected object, received array"
}
]
|
900ms |
| T03-05-query-FUZZ-OBJ-003 | PASS | Fuzz FUZZ-OBJ-003 → query_worker_observability.query |
Tool 'query_worker_observability' returned a structured error for FUZZ-OBJ-003 (string as object) on param 'query' — han…McpError: MCP error -32602: Invalid arguments for tool query_worker_observability: [
{
"code": "invalid_type",
"expected": "object",
"received": "string",
"path": [
"query"
],
"message": "Expected object, received string"
}
]
|
786ms |
| T03-05-query-FUZZ-OBJ-004 | PASS | Fuzz FUZZ-OBJ-004 → query_worker_observability.query |
Tool 'query_worker_observability' returned a structured error for FUZZ-OBJ-004 (empty object) on param 'query' — handled…McpError: MCP error -32602: Invalid arguments for tool query_worker_observability: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"query",
"queryId"
],
"message": "Required"
},
{
"code": "invalid_type",
"expected": "object
|
671ms |
| T03-05-query-FUZZ-OBJ-005 | PASS | Fuzz FUZZ-OBJ-005 → query_worker_observability.query |
Tool 'query_worker_observability' returned a structured error for FUZZ-OBJ-005 (prototype pollution) on param 'query' — …McpError: MCP error -32602: Invalid arguments for tool query_worker_observability: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"query",
"queryId"
],
"message": "Required"
},
{
"code": "invalid_type",
"expected": "object
|
739ms |
| T03-05-query-FUZZ-OBJ-006 | PASS | Fuzz FUZZ-OBJ-006 → query_worker_observability.query |
Tool 'query_worker_observability' returned a structured error for FUZZ-OBJ-006 (deeply nested object) on param 'query' —…McpError: MCP error -32602: Invalid arguments for tool query_worker_observability: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"query",
"queryId"
],
"message": "Required"
},
{
"code": "invalid_type",
"expected": "object
|
738ms |
| T03-06-keysquery-FUZZ-OBJ-001 | PASS | Fuzz FUZZ-OBJ-001 → observability_keys.keysQuery |
Tool 'observability_keys' returned a structured error for FUZZ-OBJ-001 (null as object) on param 'keysQuery' — handled g…McpError: MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_type",
"expected": "object",
"received": "null",
"path": [
"keysQuery"
],
"message": "Expected object, received null"
}
]
|
850ms |
| T03-06-keysquery-FUZZ-OBJ-002 | PASS | Fuzz FUZZ-OBJ-002 → observability_keys.keysQuery |
Tool 'observability_keys' returned a structured error for FUZZ-OBJ-002 (list as object) on param 'keysQuery' — handled g…McpError: MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_type",
"expected": "object",
"received": "array",
"path": [
"keysQuery"
],
"message": "Expected object, received array"
}
]
|
745ms |
| T03-06-keysquery-FUZZ-OBJ-003 | PASS | Fuzz FUZZ-OBJ-003 → observability_keys.keysQuery |
Tool 'observability_keys' returned a structured error for FUZZ-OBJ-003 (string as object) on param 'keysQuery' — handled…McpError: MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_type",
"expected": "object",
"received": "string",
"path": [
"keysQuery"
],
"message": "Expected object, received string"
}
]
|
1735ms |
| T03-06-keysquery-FUZZ-OBJ-004 | PASS | Fuzz FUZZ-OBJ-004 → observability_keys.keysQuery |
Tool 'observability_keys' returned a structured error for FUZZ-OBJ-004 (empty object) on param 'keysQuery' — handled gra…McpError: MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
|
3105ms |
| T03-06-keysquery-FUZZ-OBJ-005 | PASS | Fuzz FUZZ-OBJ-005 → observability_keys.keysQuery |
Tool 'observability_keys' returned a structured error for FUZZ-OBJ-005 (prototype pollution) on param 'keysQuery' — hand…McpError: MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
|
1357ms |
| T03-06-keysquery-FUZZ-OBJ-006 | PASS | Fuzz FUZZ-OBJ-006 → observability_keys.keysQuery |
Tool 'observability_keys' returned a structured error for FUZZ-OBJ-006 (deeply nested object) on param 'keysQuery' — han…McpError: MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
|
956ms |
| T03-07-valuesquery-FUZZ-OBJ-001 | PASS | Fuzz FUZZ-OBJ-001 → observability_values.valuesQuery |
Tool 'observability_values' returned a structured error for FUZZ-OBJ-001 (null as object) on param 'valuesQuery' — handl…McpError: MCP error -32602: Invalid arguments for tool observability_values: [
{
"code": "invalid_type",
"expected": "object",
"received": "null",
"path": [
"valuesQuery"
],
"message": "Expected object, received null"
}
]
|
976ms |
| T03-07-valuesquery-FUZZ-OBJ-002 | PASS | Fuzz FUZZ-OBJ-002 → observability_values.valuesQuery |
Tool 'observability_values' returned a structured error for FUZZ-OBJ-002 (list as object) on param 'valuesQuery' — handl…McpError: MCP error -32602: Invalid arguments for tool observability_values: [
{
"code": "invalid_type",
"expected": "object",
"received": "array",
"path": [
"valuesQuery"
],
"message": "Expected object, received array"
}
]
|
790ms |
| T03-07-valuesquery-FUZZ-OBJ-003 | PASS | Fuzz FUZZ-OBJ-003 → observability_values.valuesQuery |
Tool 'observability_values' returned a structured error for FUZZ-OBJ-003 (string as object) on param 'valuesQuery' — han…McpError: MCP error -32602: Invalid arguments for tool observability_values: [
{
"code": "invalid_type",
"expected": "object",
"received": "string",
"path": [
"valuesQuery"
],
"message": "Expected object, received string"
}
]
|
908ms |
| T03-07-valuesquery-FUZZ-OBJ-004 | PASS | Fuzz FUZZ-OBJ-004 → observability_values.valuesQuery |
Tool 'observability_values' returned a structured error for FUZZ-OBJ-004 (empty object) on param 'valuesQuery' — handled…McpError: MCP error -32602: Invalid arguments for tool observability_values: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"valuesQuery",
"key"
],
"message": "Required"
},
{
"expected": "'string' | 'boolean' | 'number'",
|
860ms |
| T03-07-valuesquery-FUZZ-OBJ-005 | PASS | Fuzz FUZZ-OBJ-005 → observability_values.valuesQuery |
Tool 'observability_values' returned a structured error for FUZZ-OBJ-005 (prototype pollution) on param 'valuesQuery' — …McpError: MCP error -32602: Invalid arguments for tool observability_values: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"valuesQuery",
"key"
],
"message": "Required"
},
{
"expected": "'string' | 'boolean' | 'number'",
|
905ms |
| T03-07-valuesquery-FUZZ-OBJ-006 | PASS | Fuzz FUZZ-OBJ-006 → observability_values.valuesQuery |
Tool 'observability_values' returned a structured error for FUZZ-OBJ-006 (deeply nested object) on param 'valuesQuery' —…McpError: MCP error -32602: Invalid arguments for tool observability_values: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"valuesQuery",
"key"
],
"message": "Required"
},
{
"expected": "'string' | 'boolean' | 'number'",
|
820ms |
| T03-08-query-FUZZ-STR-001 | PASS | Fuzz FUZZ-STR-001 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-001 (empty string) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='All search methods failed: vector', annotations=None, meta=None)] structuredContent=None isError=True"
|
1384ms |
| T03-08-query-FUZZ-STR-002 | PASS | Fuzz FUZZ-STR-002 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-002 (single space) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='All search methods failed: vector', annotations=None, meta=None)] structuredContent=None isError=True"
|
776ms |
| T03-08-query-FUZZ-STR-003 | PASS | Fuzz FUZZ-STR-003 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-003 (whitespace only) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='All search methods failed: vector', annotations=None, meta=None)] structuredContent=None isError=True"
|
1042ms |
| T03-08-query-FUZZ-STR-004 | PASS | Fuzz FUZZ-STR-004 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' returned a structured error for FUZZ-STR-004 (null value) on param 'query' — hand…McpError: MCP error -32602: Invalid arguments for tool search_cloudflare_documentation: [
{
"code": "invalid_type",
"expected": "string",
"received": "null",
"path": [
"query"
],
"message": "Expected string, received null"
}
]
|
950ms |
| T03-08-query-FUZZ-STR-005 | PASS | Fuzz FUZZ-STR-005 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' returned a structured error for FUZZ-STR-005 (integer as string field) on param '…McpError: MCP error -32602: Invalid arguments for tool search_cloudflare_documentation: [
{
"code": "invalid_type",
"expected": "string",
"received": "number",
"path": [
"query"
],
"message": "Expected string, received number"
}
]
|
890ms |
| T03-08-query-FUZZ-STR-006 | PASS | Fuzz FUZZ-STR-006 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' returned a structured error for FUZZ-STR-006 (boolean as string field) on param '…McpError: MCP error -32602: Invalid arguments for tool search_cloudflare_documentation: [
{
"code": "invalid_type",
"expected": "string",
"received": "boolean",
"path": [
"query"
],
"message": "Expected string, received boolean"
}
]
|
805ms |
| T03-08-query-FUZZ-STR-007 | PASS | Fuzz FUZZ-STR-007 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' returned a structured error for FUZZ-STR-007 (list as string field) on param 'que…McpError: MCP error -32602: Invalid arguments for tool search_cloudflare_documentation: [
{
"code": "invalid_type",
"expected": "string",
"received": "array",
"path": [
"query"
],
"message": "Expected string, received array"
}
]
|
863ms |
| T03-08-query-FUZZ-STR-008 | PASS | Fuzz FUZZ-STR-008 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' returned a structured error for FUZZ-STR-008 (dict as string field) on param 'que…McpError: MCP error -32602: Invalid arguments for tool search_cloudflare_documentation: [
{
"code": "invalid_type",
"expected": "string",
"received": "object",
"path": [
"query"
],
"message": "Expected string, received object"
}
]
|
811ms |
| T03-08-query-FUZZ-STR-009 | PASS | Fuzz FUZZ-STR-009 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-009 (very long string 10k) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='', annotations=None, meta=None)] structuredContent=None isError=False"
|
3065ms |
| T03-08-query-FUZZ-STR-010 | PASS | Fuzz FUZZ-STR-010 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-010 (newlines and tabs) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='All search methods failed: vector', annotations=None, meta=None)] structuredContent=None isError=True"
|
945ms |
| T03-08-query-FUZZ-STR-011 | PASS | Fuzz FUZZ-STR-011 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-011 (null byte in string) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='', annotations=None, meta=None)] structuredContent=None isError=False"
|
2337ms |
| T03-08-query-FUZZ-STR-012 | PASS | Fuzz FUZZ-STR-012 → search_cloudflare_documentation.query |
Tool 'search_cloudflare_documentation' handled FUZZ-STR-012 (all unicode planes) on param 'query' correctly.Response excerpt: "meta=None content=[TextContent(type='text', text='', annotations=None, meta=None)] structuredContent=None isError=False"
|
3147ms |
| T04-002 | PASS | Hidden Instruction Scan | No suspicious patterns found in 9 tool description(s). | 1ms |
| T04-004 | PASS | Schema Field Injection Check | All 9 tool inputSchema(s) contain only sanctioned JSON Schema fields. | 0ms |
| T04-005 | PASS | Tool Count Stability Check |
Tool count stable at 9 across 5 polls (2.5s window).Counts per poll: [9, 9, 9, 9, 9]
|
6240ms |
| T09-001 | PASS | Output Sanitization — Summary | All 9 tool outputs and 0 resource reads passed PI-marker scanning. | 11277ms |
| T09-TOOL-accounts_list | PASS | Output Sanitization → accounts_list | Tool 'accounts_list' output clean — no prompt-injection markers detected. | 1630ms |
| T09-TOOL-migrate_pages_to_workers_gui | PASS | Output Sanitization → migrate_pages_to_workers_guide | Tool 'migrate_pages_to_workers_guide' output clean — no prompt-injection markers detected. | 834ms |
| T09-TOOL-search_cloudflare_documentat | PASS | Output Sanitization → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' output clean — no prompt-injection markers detected. | 1492ms |
| T09-TOOL-workers_get_worker | PASS | Output Sanitization → workers_get_worker | Tool 'workers_get_worker' output clean — no prompt-injection markers detected. | 1401ms |
| T09-TOOL-workers_get_worker_code | PASS | Output Sanitization → workers_get_worker_code | Tool 'workers_get_worker_code' output clean — no prompt-injection markers detected. | 1245ms |
| T09-TOOL-workers_list | PASS | Output Sanitization → workers_list | Tool 'workers_list' output clean — no prompt-injection markers detected. | 1692ms |
| T10-001 | PASS | Cross-Session Data Leakage | Marker planted in 3 tool(s) via session A did not leak into an independent session B — state appears correctly partitioned. | 17974ms |
| T11-001 | PASS | Timing Side-Channel — Summary | Probed 3 tool(s); no timing oracles detected. | 42582ms |
| T11-TOOL-search_cloudflare_documentat | PASS | Timing Side-Channel → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' does not appear to leak timing information (mean 2496.8 ms vs 2335.6 ms, ratio 1.07×). | 19838ms |
| T11-TOOL-workers_get_worker | PASS | Timing Side-Channel → workers_get_worker | Tool 'workers_get_worker' does not appear to leak timing information (mean 1048.4 ms vs 1186.5 ms, ratio 0.88×). | 10032ms |
| T11-TOOL-workers_get_worker_code | PASS | Timing Side-Channel → workers_get_worker_code | Tool 'workers_get_worker_code' does not appear to leak timing information (mean 1351.5 ms vs 1019.4 ms, ratio 1.33×). | 12712ms |
| T12-001 | PASS | Error Secret Leakage — Summary | Probed 9 tool(s) and 0 resources; no secret patterns detected in error messages. | 24568ms |
| T12-TOOL-accounts_list | PASS | Error Secret Leakage → accounts_list | Tool 'accounts_list' never errored on malformed inputs — nothing to scan. | 1428ms |
| T12-TOOL-migrate_pages_to_workers_gui | PASS | Error Secret Leakage → migrate_pages_to_workers_guide | Tool 'migrate_pages_to_workers_guide' never errored on malformed inputs — nothing to scan. | 855ms |
| T12-TOOL-observability_keys | PASS | Error Secret Leakage → observability_keys | Tool 'observability_keys' errored on 3 malformed input(s); no secret patterns found in error text. | 3028ms |
| T12-TOOL-observability_values | PASS | Error Secret Leakage → observability_values | Tool 'observability_values' errored on 3 malformed input(s); no secret patterns found in error text. | 3555ms |
| T12-TOOL-query_worker_observability | PASS | Error Secret Leakage → query_worker_observability | Tool 'query_worker_observability' errored on 3 malformed input(s); no secret patterns found in error text. | 2812ms |
| T12-TOOL-search_cloudflare_documentat | PASS | Error Secret Leakage → search_cloudflare_documentation | Tool 'search_cloudflare_documentation' errored on 2 malformed input(s); no secret patterns found in error text. | 4458ms |
| T12-TOOL-workers_get_worker | PASS | Error Secret Leakage → workers_get_worker | Tool 'workers_get_worker' errored on 2 malformed input(s); no secret patterns found in error text. | 3360ms |
| T12-TOOL-workers_get_worker_code | PASS | Error Secret Leakage → workers_get_worker_code | Tool 'workers_get_worker_code' errored on 2 malformed input(s); no secret patterns found in error text. | 3252ms |
| T12-TOOL-workers_list | PASS | Error Secret Leakage → workers_list | Tool 'workers_list' never errored on malformed inputs — nothing to scan. | 1816ms |
| T13-001 | PASS | Sampling Capability Advertisement | Server does not advertise the 'sampling' capability. | 0ms |
| T13-003 | PASS | Sampling Abuse — Summary | No sampling-abuse surface detected. | 5328ms |
| T14-001 | PASS | Notification Flood Rate | Server sent 0 notifications during a 5s quiet window (0.0/sec) — well within expected bounds. | 7565ms |
| T14-002 | PASS | Notification Flood — Summary | No notification-flood risk detected. | 7565ms |
| T15-001 | PASS | Reentrancy — Summary | Probed 3 tool(s) with 6 concurrent invocations each; no state-bleed detected. | 6206ms |
| T15-TOOL-search_cloudflare_documentat | PASS | Reentrancy → search_cloudflare_documentation | 6 concurrent calls to 'search_cloudflare_documentation' returned independent results — no state bleed detected. | 3657ms |
| T15-TOOL-workers_get_worker | PASS | Reentrancy → workers_get_worker | 6 concurrent calls to 'workers_get_worker' returned independent results — no state bleed detected. | 1315ms |
| T15-TOOL-workers_get_worker_code | PASS | Reentrancy → workers_get_worker_code | 6 concurrent calls to 'workers_get_worker_code' returned independent results — no state bleed detected. | 1234ms |
| T16-001 | PASS | Tool Set Drift | Tool inventory stable across snapshots. | 7897ms |
| T16-002 | PASS | Resource Set Drift | Resource inventory stable. | 0ms |
| T16-004 | PASS | Server Capability Drift | Server capabilities stable. | 0ms |
| T16-005 | PASS | Capability Creep — Summary | All capability surfaces stable over 3s window. | 7897ms |
| T17-001 | PASS | Cross-Session Hash Drift | All 10 descriptions match byte-for-byte across two independent sessions. | 10934ms |
| T19-001 | PASS | Non-ASCII Identifiers | All identifiers are pure ASCII. | 0ms |
| T19-002 | PASS | Confusable / Homoglyph Characters | No Unicode confusables detected in identifiers. | 0ms |
| T19-003 | PASS | Mixed-Script Identifiers | No mixed-script identifiers found. | 0ms |
| T19-004 | PASS | Invisible / Directional Characters | No invisible characters in identifiers. | 0ms |
| T19-005 | PASS | Homoglyph Scan — Summary | Scanned 10 identifier(s); no impersonation signals detected. | 0ms |
| DISCOVERY · 8 tests | ||||
| T01-001 | INFO | Server Identity |
Server did not advertise: name, version. Got name='unknown' version='unknown' protocol='unknown'.
Remediation:
Ensure the MCP server returns a populated 'serverInfo' object in its initialize response (name and version fields). |
0ms |
| T01-002 | PASS | Tool Enumeration |
Discovered 9 tool(s): accounts_list, workers_list, workers_get_worker, workers_get_worker_code, query_worker_observabili…accounts_list: 'List all accounts in your Cloudflare account'
workers_list: 'List all Workers in your Cloudflare account.\n\nIf you only need details of a sing'
workers_get_worker: 'Get the details of the Cloudflare Worker.'
workers_get_worker_code: 'Get the source code of a Cloudflare Worker. Note: This may be a bundled version '
query_worker_observability: 'Query the Workers Observability API to analyze logs and metrics from your Cloudf'
observability_keys: 'Find keys in the Workers Observability Data\n\n## Best Practices\n- Set a high limi'
observability_values: 'Find values in the Workers Observability Data.\n\n## Troubleshooting\n- For no resu'
search_cloudflare_documentation: 'Search the Cloudflare documentation.\n\n\t\tThis tool should be used to answer any q'
migrate_pages_to_workers_guide: 'ALWAYS read this guide before migrating Pages projects to Workers.'
|
0ms |
| T01-003 | PASS | Resource Enumeration | Discovered 0 resource(s). | 0ms |
| T01-004 | PASS | Prompt Enumeration |
Discovered 1 prompt(s): workers-prompt-full.workers-prompt-full: 'Detailed prompt for generating Cloudflare Workers code (and other developer plat' (0 arg(s))
|
0ms |
| T01-005 | PASS | Tool Description Completeness | All 9 tool(s) have non-empty descriptions. | 0ms |
| T01-006 | PASS | Tool Schema Validity | All 9 tool(s) have valid JSON Schema inputSchema. | 0ms |
| T01-007 | PASS | Duplicate Tool Names | All 9 tool name(s) are unique. | 0ms |
| T01-008 | PASS | Tool Description Length | All 9 tool description(s) are within the 2,000-character limit. | 0ms |
| SCHEMA · 20 tests | ||||
| T06-004 | INFO | Return Type Consistency | No tools returned comparable JSON responses — consistency check not applicable. | 0ms |
| T06-006-workers_get_worker | INFO | Description Quality: workers_get_worker |
Tool 'workers_get_worker' description does not mention its parameters (scriptName).Description: 'Get the details of the Cloudflare Worker.'
Tool has 1 parameter(s) but the description contains no parameter documentation signals.
Remediation:
Include a brief description of each parameter in the tool's description so LLMs can construct valid calls. Example: 'Accepts: query (string) - the search query.' |
0ms |
| T06-006-workers_get_worker_code | INFO | Description Quality: workers_get_worker_code |
Tool 'workers_get_worker_code' description does not mention its parameters (scriptName).Description: 'Get the source code of a Cloudflare Worker. Note: This may be a bundled version of the worker.'
Tool has 1 parameter(s) but the description contains no parameter documentation signals.
Remediation:
Include a brief description of each parameter in the tool's description so LLMs can construct valid calls. Example: 'Accepts: query (string) - the search query.' |
0ms |
| T06-001 | PASS | Schema Structural Validity | All 9 tool inputSchema(s) are structurally valid. | 0ms |
| T06-002-observability_keys | PASS | Required Enforcement: observability_keys |
Tool 'observability_keys' correctly raised an error when called with missing required fields.McpError: MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"keysQuery"
],
"me
|
3755ms |
| T06-002-observability_values | PASS | Required Enforcement: observability_values |
Tool 'observability_values' correctly raised an error when called with missing required fields.McpError: MCP error -32602: Invalid arguments for tool observability_values: [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"valuesQuery"
],
|
1379ms |
| T06-002-query_worker_observability | PASS | Required Enforcement: query_worker_observability |
Tool 'query_worker_observability' correctly raised an error when called with missing required fields.McpError: MCP error -32602: Invalid arguments for tool query_worker_observability: [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"query"
],
|
764ms |
| T06-002-search_cloudflare_documentation | PASS | Required Enforcement: search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' correctly raised an error when called with missing required fields.McpError: MCP error -32602: Invalid arguments for tool search_cloudflare_documentation: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"query"
]
|
778ms |
| T06-002-workers_get_worker | PASS | Required Enforcement: workers_get_worker |
Tool 'workers_get_worker' correctly raised an error when called with missing required fields.McpError: MCP error -32602: Invalid arguments for tool workers_get_worker: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"scriptName"
],
"m
|
1445ms |
| T06-002-workers_get_worker_code | PASS | Required Enforcement: workers_get_worker_code |
Tool 'workers_get_worker_code' correctly raised an error when called with missing required fields.McpError: MCP error -32602: Invalid arguments for tool workers_get_worker_code: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"scriptName"
],
|
885ms |
| T06-003 | PASS | additionalProperties Strictness | All 9 tool(s) have 'additionalProperties': false. | 0ms |
| T06-005 | PASS | Overly Permissive Schema Detection | All 9 tool schema(s) are acceptably strict. | 0ms |
| T06-006-accounts_list | PASS | Description Quality: accounts_list |
Tool 'accounts_list' has an adequate description (44 chars).Description: 'List all accounts in your Cloudflare account'
|
0ms |
| T06-006-migrate_pages_to_workers_guide | PASS | Description Quality: migrate_pages_to_workers_guide |
Tool 'migrate_pages_to_workers_guide' has an adequate description (66 chars).Description: 'ALWAYS read this guide before migrating Pages projects to Workers.'
|
0ms |
| T06-006-observability_keys | PASS | Description Quality: observability_keys |
Tool 'observability_keys' has an adequate description (344 chars).Description: 'Find keys in the Workers Observability Data\n\n## Best Practices\n- Set a high limit (1000+) to ensure you see all available keys\n- Add the $metadata.service filter to narrow results to a specific Worker'
|
0ms |
| T06-006-observability_values | PASS | Description Quality: observability_values |
Tool 'observability_values' has an adequate description (204 chars).Description: 'Find values in the Workers Observability Data.\n\n## Troubleshooting\n- For no results, verify the field exists using observability_keys first\n- If expected values are missing, try broadening your time r'
|
0ms |
| T06-006-query_worker_observability | PASS | Description Quality: query_worker_observability |
Tool 'query_worker_observability' has an adequate description (1001 chars).Description: 'Query the Workers Observability API to analyze logs and metrics from your Cloudflare Workers.\n\n\t* A query typical query looks like this:\n\t\t\t\t{"view":"events","queryId":"workers-logs-events","limit":5,'
|
0ms |
| T06-006-search_cloudflare_documentation | PASS | Description Quality: search_cloudflare_documentation |
Tool 'search_cloudflare_documentation' has an adequate description (541 chars).Description: 'Search the Cloudflare documentation.\n\n\t\tThis tool should be used to answer any question about Cloudflare products or features, including:\n\t\t- Workers, Pages, R2, Images, Stream, D1, Durable Objects, K'
|
0ms |
| T06-006-workers_list | PASS | Description Quality: workers_list |
Tool 'workers_list' has an adequate description (114 chars).Description: 'List all Workers in your Cloudflare account.\n\nIf you only need details of a single Worker, use workers_get_worker.'
|
0ms |
| T16-003 | PASS | Tool Schema Required-Field Drift | No required-field drift detected. | 0ms |
| PERFORMANCE · 20 tests | ||||
| T00-003 | INFO | Connection Closed Mid-Scan (Rate Limit / Server Reset) |
The HTTP server closed the connection mid-scan. This is expected behaviour for production servers that apply rate-limiti…Unexpected HTTP/SSE transport error: HTTPStatusError: Client error '400 Bad Request' for url 'https://observability.mcp.cloudflare.com/mcp'
For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/400 (caused by ExceptionGroup: unhandled errors in a TaskGroup (1 sub-exception))
Remediation:
Re-run with --no-load to skip T05 load tests and reduce the number of requests sent to the server. The connection drop does not indicate a vulnerability. |
482992ms |
| T08-001-05 | INFO | Baseline Latency: query_worker_observability |
Tool 'query_worker_observability' requires valid credentials or real parameters — latency probe skipped (API rejection, …McpError: MCP error -32602: Invalid arguments for tool query_worker_observability: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"query",
"queryId"
],
"message": "Required"
},
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"query",
"parameters"
],
"message": "Required"
},
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"query",
"timeframe"
],
"message": "Required"
}
],
"name": "ZodError"
},
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"query",
"timeframe"
],
"message": "Required"
}
],
"name": "ZodError"
}
],
"path": [
"query",
"timeframe"
],
"message": "Invalid input"
}
]
McpError: MCP error -32602: Invalid arguments for tool query_worker_observability: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"query",
"queryId"
],
"message": "Required"
},
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"query",
"parameters"
],
"message": "Required"
},
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"query",
"timeframe"
],
"message": "Required"
}
…
|
7246ms |
| T08-001-06 | INFO | Baseline Latency: observability_keys |
Tool 'observability_keys' requires valid credentials or real parameters — latency probe skipped (API rejection, not a se…McpError: MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"keysQuery",
"timeframe"
],
"message": "Required"
}
],
"name": "ZodError"
},
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"keysQuery",
"timeframe"
],
"message": "Required"
}
],
"name": "ZodError"
}
],
"path": [
"keysQuery",
"timeframe"
],
"message": "Invalid input"
}
]
McpError: MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"keysQuery",
"timeframe"
],
"message": "Required"
}
],
"name": "ZodError"
},
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"keysQuery",
"timeframe"
],
"message": "Required"
}
],
"name": "ZodError"
}
],
"path": [
"keysQuery",
"timeframe"
],
"message": "Invalid input"
}
]
McpError: MCP error -32602: Invalid arguments for tool observability_keys: [
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
…
|
4102ms |
| T08-001-07 | INFO | Baseline Latency: observability_values |
Tool 'observability_values' requires valid credentials or real parameters — latency probe skipped (API rejection, not a …McpError: MCP error -32602: Invalid arguments for tool observability_values: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"valuesQuery",
"key"
],
"message": "Required"
},
{
"expected": "'string' | 'boolean' | 'number'",
"received": "undefined",
"code": "invalid_type",
"path": [
"valuesQuery",
"type"
],
"message": "Required"
},
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"valuesQuery",
"timeframe"
],
"message": "Required"
}
],
"name": "ZodError"
},
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"valuesQuery",
"timeframe"
],
"message": "Required"
}
],
"name": "ZodError"
}
],
"path": [
"valuesQuery",
"timeframe"
],
"message": "Invalid input"
}
]
McpError: MCP error -32602: Invalid arguments for tool observability_values: [
{
"code": "invalid_type",
"expected": "string",
"received": "undefined",
"path": [
"valuesQuery",
"key"
],
"message": "Required"
},
{
"expected": "'string' | 'boolean' | 'number'",
"received": "undefined",
"code": "invalid_type",
"path": [
"valuesQuery",
"type"
],
"message": "Required"
},
{
"code": "invalid_union",
"unionErrors": [
{
"issues": [
{
"code": "invalid_type",
"expected": "object",
"received": "undefined",
"path": [
"valuesQuery",
"timeframe"
…
|
4244ms |
| T08-003-00 | INFO | Resource Read Latency | No resources to benchmark. | 0ms |
| T05-001 | PASS | 10 Simultaneous Calls |
All 10 concurrent calls to 'accounts_list' succeeded with no data leakage.min=1233ms mean=1233ms max=1234ms
|
1543ms |
| T05-002 | PASS | 50 Sequential Rapid Calls |
p50=1385ms p95=3139ms p99=4189ms{
"tool": "accounts_list",
"calls": 50,
"errors": 0,
"min_ms": 1159.02,
"mean_ms": 1555.65,
"max_ms": 4188.78,
"p50_ms": 1385.47,
"p95_ms": 3139.43,
"p99_ms": 4188.78
}
|
77783ms |
| T05-003 | PASS | 100 Concurrent Calls (Stress Test) |
All 100 calls succeeded. Throughput: 6.7 calls/secThroughput: 6.7 calls/sec
|
14840ms |
| T05-004 | PASS | Connection Stability Under Rapid Reconnect |
Tool list consistent across all 5 reconnects: ['accounts_list', 'migrate_pages_to_workers_guide', 'observability_keys', …Reconnects: 5. Tools per connect: 9.
|
49600ms |
| T08-001-01 | PASS | Baseline Latency: accounts_list |
Tool 'accounts_list': mean=2529ms min=1610ms max=4229ms (5 samples).{
"accounts_list": {
"mean_ms": 2529.14,
"min_ms": 1609.57,
"max_ms": 4228.87,
"samples": [
3447.95,
4228.87,
1646.59,
1712.71,
1609.57
]
}
}
|
12646ms |
| T08-001-02 | PASS | Baseline Latency: workers_list |
Tool 'workers_list': mean=2037ms min=1340ms max=3031ms (5 samples).{
"workers_list": {
"mean_ms": 2037.38,
"min_ms": 1340.36,
"max_ms": 3031.27,
"samples": [
3031.27,
2427.17,
1601.66,
1340.36,
1786.42
]
}
}
|
10187ms |
| T08-001-03 | PASS | Baseline Latency: workers_get_worker |
Tool 'workers_get_worker': mean=2045ms min=1003ms max=3458ms (5 samples).{
"workers_get_worker": {
"mean_ms": 2045.33,
"min_ms": 1003.1,
"max_ms": 3457.65,
"samples": [
3457.65,
1003.1,
1441.15,
3172.6,
1152.16
]
}
}
|
10227ms |
| T08-001-04 | PASS | Baseline Latency: workers_get_worker_code |
Tool 'workers_get_worker_code': mean=1356ms min=1204ms max=1610ms (5 samples).{
"workers_get_worker_code": {
"mean_ms": 1356.45,
"min_ms": 1204.17,
"max_ms": 1610.13,
"samples": [
1204.17,
1610.13,
1316.64,
1388.62,
1262.68
]
}
}
|
6783ms |
| T08-001-08 | PASS | Baseline Latency: search_cloudflare_documentation |
Tool 'search_cloudflare_documentation': mean=2461ms min=1883ms max=3936ms (5 samples).{
"search_cloudflare_documentation": {
"mean_ms": 2461.24,
"min_ms": 1882.97,
"max_ms": 3936.12,
"samples": [
3936.12,
1990.1,
2204.73,
1882.97,
2292.28
]
}
}
|
12306ms |
| T08-001-09 | PASS | Baseline Latency: migrate_pages_to_workers_guide |
Tool 'migrate_pages_to_workers_guide': mean=997ms min=788ms max=1332ms (5 samples).{
"migrate_pages_to_workers_guide": {
"mean_ms": 996.83,
"min_ms": 787.97,
"max_ms": 1331.8,
"samples": [
909.1,
787.97,
1124.83,
830.46,
1331.8
]
}
}
|
4984ms |
| T08-002 | PASS | Tool Discovery Latency |
list_tools() mean=969ms min=828ms max=1307ms.{
"list_tools": {
"mean_ms": 968.62,
"min_ms": 827.95,
"max_ms": 1306.76,
"samples": [
827.95,
853.93,
1026.04,
1306.76,
828.44
]
}
}
|
4843ms |
| T08-004 | PASS | Cold Start Detection |
No significant cold-start penalty detected (ratio 0.8×, threshold 10×).Call 1 (cold): 1555ms
Calls 2-5 (warm): 1620ms, 3208ms, 1517ms, 1664ms
Warm mean: 2003ms Ratio: 0.8×
|
9566ms |
| T20-001 | PASS | Response-Size Drift | Response sizes stable (155→155 bytes, ratio 1.00×). | 55780ms |
| T20-002 | PASS | Latency Drift | Latency stable (1361.4→1564.7ms, ratio 1.15×). | 55780ms |
| T20-004 | PASS | Memory Leak — Summary | No memory growth signals over 40 probe calls. | 55780ms |