fix(mcp): treat allowed-tools as a permission declaration for LP3#27
Open
CharmingGroot wants to merge 1 commit into
Open
fix(mcp): treat allowed-tools as a permission declaration for LP3#27CharmingGroot wants to merge 1 commit into
CharmingGroot wants to merge 1 commit into
Conversation
LP3 fired on standard-compliant skills that declare capabilities via the Agent Skills `allowed-tools` field: _parse_manifest dropped allowed-tools, and the analyzer only read `permissions`, so a skill declaring `allowed-tools: [Bash, Read]` was reported as having no declared permissions. Parse and preserve `allowed-tools` (list or comma-separated string) in _parse_manifest, and treat a non-empty allowed-tools alongside `permissions` when evaluating LP3's "no declared permissions" condition. LP1/LP4 continue to use the explicit `permissions` list only. Add regression tests for allowed-tools parsing (both forms) and for LP3 no longer firing when allowed-tools is declared. Signed-off-by: CharmingGroot <70020572+CharmingGroot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #15.
While reading the MCP least-privilege path I confirmed the reported false positive. LP3 flags standard-compliant skills, and the cause is a field-name mismatch between SkillSpector and the Agent Skills standard.
What this fixes
LP3 ("no declared permissions but code capabilities were detected") fired on skills that declare capabilities through
allowed-tools, the field defined by the Agent Skills standard. Two things combined to cause it:_parse_manifestonly extractedpermissionsand droppedallowed-tools, so the field never reached the analyzer.mcp_least_privilegeonly readpermissions, so a skill declaring e.g.allowed-tools: [Bash, Read]was treated as having no declaration at all._parse_manifestnow parses and preservesallowed-tools(both the list form[Bash, Read]and the comma-separated string formBash, Read), and LP3 treats a non-emptyallowed-toolsas a valid declaration. LP1/LP4 continue to use the explicitpermissionslist only, so this change stays scoped to the LP3 false positive in the issue.Scanning a skill that declares
allowed-tools: [Bash, Read]with shell/file-read code no longer reports LP3.Testing
ruff check src/ tests/andruff format --check src/ tests/pass.pytest -m 'not integration'passes (605 passed, 11 skipped). The integration suite needs an LLM endpoint and is unaffected.allowed-toolsparsing in build_context (list, comma-string, and malformed-value forms) and LP3 not firing whenallowed-toolsis declared. The existing "no declaration" test still asserts LP3 fires.