Loxo Recruitment
Integrates with Loxo's recruitment platform API to streamline hiring processes through automated candidate tracking, job matching, and task management.
0Tools
15Findings
1Stars
Mar 22, 2026Last Scanned
6 critical · 6 high · 2 medium · 1 low findings detected
Security Category Deep Dive
Prompt Injection
Prompt & context manipulation attacks
69
Maturity
14
Rules
5
Sub-Categories
1
Gaps
64%
Implemented
56
Tests
1
Stories
100%3 rules
Injection via tool descriptions and parameter fields
GAP-001Prompt Injection Coverage GapMissing detection coverage for emerging prompt injection attack variants not addressed by current rules
100%4 rules
Hidden instructions via external content and tool responses
100%2 rules
Context window saturation and prior-approval exploitation
100%3 rules
Payload hiding via invisible chars, base64, schema fields
100%2 rules
Injection via prompt templates and runtime tool output
Findings15
6critical
6high
2medium
1low
Critical6
criticalC1Command InjectionMCP03-command-injectionAML.T0054
Pattern "`[^`]+`" matched in source_code: "`https://${env.LOXO_DOMAIN}/api`" (at position 1249)
Replace exec()/execSync() with execFile() and pass arguments as an array, never as a string. Validate all inputs against an allowlist before use in any shell context. For subprocess.run, always pass a list and shell=False.
criticalK8Cross-Boundary Credential SharingMCP05-privilege-escalationAML.T0054
Pattern "(return|respond|output|result).*(?:token|credential|api[_\s-]?key|secret|password|bearer)" matched in source_code: "return `Authentication failed: Invalid or expired API key.\n\nNext steps:\n1. Verify your LOXO_API_KEY in .env is correct\n2. Check if your API key" (at position 8335)
Never forward, share, or embed credentials across trust boundaries. Use OAuth token exchange (RFC 8693) to create scoped, delegated tokens instead of passing original credentials. Never include credentials in tool responses. Required by ISO 27001 A.5.17 and OWASP ASI03.
criticalQ11Code Suggestion Poisoning via MCPMCP01-prompt-injectionAML.T0054.001
Pattern "(?:suggest|generate|complete|insert).*(?:code|function|class|import|require)" matched in source_code: "complete education history for a candidate (degrees, schools, graduation dates, descriptions). Returns list of all education entries. Use loxo_get_person_education_profile_detail for additional details if needed. Example: Check if candidate has require" (at position 32166)
MCP tool outputs flowing into IDE code suggestion contexts must be sanitized. Implement output content policies that: (1) strip hidden Unicode characters (zero-width, RTL override, tag characters), (2) detect embedded instructions targeting AI code assistants, (3) validate code blocks against security patterns before they enter the suggestion pipeline, (4) never include shell commands in tool outputs without explicit [COMMAND] markers visible to the user. Reference: IDEsaster (Dec 2025), arXiv 2509.22040.
criticalQ13MCP Bridge Package Supply Chain AttackMCP10-supply-chainAML.T0054
Pattern "(?:mcp|fastmcp|langchain-mcp|llama-index-mcp)(?:>=|~=|==)?(?!\d)" matched in source_code: "MCP" (at position 288)
MCP bridge packages (mcp-remote, mcp-proxy, @modelcontextprotocol/sdk, fastmcp) are high-value supply chain targets — CVE-2025-6514 (CVSS 9.6) in mcp-remote affected 437,000+ installs. Always pin exact versions (no ^ or ~ ranges). Use lockfiles (package-lock.json, pnpm-lock.yaml, uv.lock). Never run `npx mcp-remote` without version pinning. Verify package integrity with `npm audit` or `pip-audit` before deployment. Reference: CVE-2025-6514, OWASP ASI04.
criticalQ8Cross-Protocol Authentication ConfusionMCP07-insecure-configT1550
Pattern "(?:oauth|bearer).{0,100}(?:api[_\s-]?key|x-api-key|apiKey)" matched in source_code: "Bearer ${env.LOXO_API_KEY" (at position 10398)
MCP servers supporting multiple protocols must enforce authentication independently per protocol. Never reuse OAuth tokens across protocol boundaries. Implement protocol-specific middleware with explicit auth checks on every path. Audit auth coverage for all transport types (stdio, SSE, Streamable HTTP, REST). Reference: CVE-2025-6514 demonstrated that auth library vulnerabilities in MCP's OAuth layer cascade to all protocols sharing the same auth middleware.
criticalQ9Agentic Workflow DAG ManipulationMCP05-privilege-escalationAML.T0058
Pattern "(?:graph|workflow|pipeline|dag).*(?:modify|update|mutate|alter|change)" matched in source_code: "workflow: (1) loxo_create_candidate with name/email/phone/title/company, (2) loxo_update" (at position 41942)
MCP tools must NOT modify agentic workflow graphs, execution order, or routing during runtime. Workflow structure should be immutable once execution begins. If dynamic workflow modification is required, implement: (1) approval gates that require human confirmation before graph mutations, (2) integrity checks that validate the workflow graph against a known-good baseline after each step, (3) audit logging of all graph modifications with rollback capability. Reference: arXiv 2602.19555, Trend Micro subgraph impersonation attack (2026).
High6
highK16Unbounded Recursion / Missing Depth LimitsMCP07-insecure-configAML.T0054
Pattern "function\s+(\w+).*\{[^}]*\1\s*\((?!.*(?:depth|level|limit|max|count|recursi))" matched in source_code: "function formatResponse(data: any, format: 'json' | 'markdown' = 'json'): string {
if (" (at position 2025)
Add explicit depth/recursion limits to all recursive operations. Use iterative approaches where possible. Set maximum depth for directory walking (max_depth=10), tree traversal (max_level=20), and agent re-invocation (max_calls=5). Implement circuit breakers that halt after N iterations. Required by EU AI Act Art. 15 (robustness) and OWASP ASI08.
highC3Server-Side Request Forgery (SSRF)MCP04-data-exfiltrationAML.T0057
Pattern "\bfetch\s*\(\s*(?:req|request|input|param|params|args|url|uri|href|link|target|destination|endpoint|host|address|resource|src|source|location|proxy|callback|userUrl|user_url|externalUrl|external_url|redirectUrl|redirect_url)" matched in source_code: "fetch(url" (at position 10503)
Validate ALL user-supplied URLs before making HTTP requests:
1. Parse the URL and check the hostname against an explicit allowlist of permitted domains.
2. Block requests to RFC 1918 private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
3. Block loopback (127.0.0.0/8), link-local (169.254.0.0/16), and IPv6 equivalents.
4. Block file:// and other non-http(s) protocols explicitly.
5. Disable automatic redirect following, or re-validate each redirect destination.
6. In cloud environments: block requests to IMDS endpoints (169.254.169.254,
metadata.google.internal) at both the application AND network layer.
Example (Node.js): Use the `ssrf-req-filter` package or implement URL validation
against an allowlist before calling fetch/axios/got.
highK1Absent Structured LoggingMCP09-logging-monitoringAML.T0054
Pattern "console\.(log|warn|error)\s*\(.*(?:tool|request|handler|execute|invoke)" matched in source_code: "console.error('Request" (at position 12166)
Implement structured logging (pino, winston, or equivalent) for all tool call handlers. Every tool invocation should log: timestamp, tool name, caller identity, parameters (sanitized), result status, and duration. Required by ISO 27001 A.8.15, CoSAI MCP-T12, and NIST AI RMF MEASURE 2.6.
highK13Unsanitized Tool OutputMCP02-tool-poisoningAML.T0054
Pattern "(?:query|execute|select|find).*(?:return|respond|result|rows|data)(?!.*(?:sanitize|escape|encode|map|filter|select|pick))" matched in source_code: "query syntax. Uses cursor-based pagination with scroll_id. Returns skillsets and tags in results for filtering without additional API calls.\n\nIMPORTANT - LOXO FIELD NAME MAPPING:\n- Query uses 'skills' (search index field): query='skills:\"Python\"'\n- Response returns 'skillsets' (API field): {skillsets: \"Python, JavaScript\"}\n- Query uses 'all_raw_tags', response returns 'all_raw_tags' (same)\n\nSIMPLE QUERY EXAMPLES:\n(1) Past employer: query='job_profiles.company_name:\"Google\"'\n(2) Skills: query='skills:\"Python\"'\n(3) Current role: company='Acme Corp' and title='Engineer'\n\nCOMPLEX MULTI-CRITERIA EXAMPLES:\n(4) Multiple titles with skills: query='(current_title:\"Director\" OR current_title:\"Senior Director\") AND skills:\"financial due diligence\"'\n(5) Multiple role types at specific level: query='(current_title:(\"Deal Advisory\" OR \"Transaction Services\" OR \"Transaction Advisory\")) AND current_title:\"Director\" AND skills:\"due diligence\"'\n(6) Past companies with skills: query='(job_profiles.company_name:(\"KPMG\" OR \"Deloitte\" OR \"PwC\" OR \"EY\")) AND skills:(\"M&A\" OR \"financial due diligence\")'\n(7) Combined current AND past: query='current_title:\"Director\" AND job_profiles.company_name:(\"Big 4\") AND skills:\"financial modeling\"'\n(8) Tags: query='all_raw_tags:\"key account\"'\n\nNULL/EMPTY FIELD SEARCHES (data quality checks):\n(9) Candidates WITHOUT skills: query='NOT _exists_:skills'\n(10) Candidates WITH skills: query='_exists_:skills'\n(11) Candidates WITHOUT tags: query='NOT _exists_:all_raw_tags'\n(12) Candidates missing location: query='NOT _exists_:location'\n(13) Candidates missing current company: query='NOT _exists_:current_company'\n\nTIPS: Use OR for multiple options, AND to combine criteria, parentheses for grouping, NOT _exists_:fieldname for null checks. ALWAYS use search index field names (skills not skillsets) in queries. Start with comprehensive queries to get all relevant candidates in fewer API calls.\n\nReturn" (at position 22728)
Sanitize all external data before including in tool responses. Implement output encoding that neutralizes prompt injection patterns. Truncate excessively long content. Validate structure before passing database results. Apply the principle: treat all external data as untrusted, even in tool outputs. Required by CoSAI MCP-T4.
highK4Missing Human Confirmation for Destructive OpsMCP06-excessive-permissionsAML.T0054
Pattern "(delete|remove|drop|truncate|destroy|purge|wipe|erase).*(?:execute|run|perform|call)(?!.*(?:confirm|approve|prompt|ask|verify|consent))" matched in source_code: "truncateResponse(content: string, limit: number = CHARACTER_LIMIT): { text: string; wasTrun" (at position 1472)
All destructive operations (delete, drop, overwrite, send) MUST include a human confirmation step. Use the MCP destructiveHint annotation to signal that client-side confirmation is required. Implement an approval gate pattern: preview changes → request confirmation → execute. Required by ISO 42001 A.9.1, EU AI Act Art. 14, and NIST AI RMF GOVERN 1.7.
highQ14Concurrent MCP Server Race ConditionMCP07-insecure-configT1068
Pattern "(?:read|write|modify|delete).*(?:file|path|directory)(?!.*(?:lock|mutex|semaphore|flock|atomic))" matched in source_code: "write a personalised message without making multiple API calls. Returns: profile" (at position 46108)
MCP servers sharing filesystem or database backends with other servers must implement proper concurrency controls. Use: (1) file locking (flock/lockfile) for filesystem operations, (2) database transactions for all read-modify-write sequences, (3) atomic file operations (O_EXCL, mkdtemp) instead of check-then-create, (4) lstat() to detect symlinks before following (CVE-2025-53109). Never assume exclusive access to shared resources — other MCP servers may be operating concurrently.
Medium2
mediumK20Insufficient Audit Context in LoggingMCP09-logging-monitoringAML.T0054
Pattern "console\.(log|warn|error)\s*\(\s*["'`](?:request|handling|processing|executing|tool|invoke)" matched in source_code: "console.error('Request" (at position 12166)
Use structured logging that includes all five ISO 27001 A.8.15 fields: (1) WHO — agent/user identity, (2) WHAT — tool name and operation, (3) WHEN — ISO 8601 timestamp, (4) WHERE — server ID and correlation ID, (5) OUTCOME — success/failure and result summary. Replace console.log with structured loggers (pino, winston). Add correlation IDs for request tracing across multi-agent chains.
mediumK17Missing Timeout or Circuit BreakerMCP07-insecure-configAML.T0054
Pattern "(?:fetch|axios|got|request|urllib|httpx|http\.get|http\.post)\s*\((?!.*(?:timeout|signal|AbortSignal|deadline|cancel))" matched in source_code: "fetch(" (at position 10503)
Add timeouts to ALL external calls: HTTP requests (30s), database queries (10s), subprocess execution (60s), and MCP tool calls (30s). Implement circuit breakers that open after N consecutive failures (e.g., opossum, cockatiel). Use AbortSignal for cancellable operations. Required by EU AI Act Art. 15 and OWASP ASI08.
Low1
lowF4MCP Spec Non-ComplianceMCP07-insecure-config
Server fails MCP spec compliance checks: required:server_name; required:server_version; required:protocol_version; recommended:tool_descriptions; recommended:parameter_descriptions
Follow the MCP specification for server metadata. Include server name, version, and protocol version. Provide descriptions for all tools and parameters.