Orihime

find_second_order_injection

Identifies second-order injection by tracing taint from JPA writes to reads that reach dangerous sinks. Prioritizes manual review using structural analysis.

Instructions

Detect second-order injection patterns: taint written to DB then read back unsanitized.

A second-order (stored) injection occurs when:
  1. User-controlled data reaches a persistence write (JPA save/persist/merge).
  2. That same data is later read back from the DB and passed to a dangerous sink.

Orihime approximates this by finding:
  - Methods that write to a JPA entity (call to save/persist/merge on a Repository
    class or on an EntityManager).
  - Methods that read from the same entity type (findById/findAll/executeQuery) AND
    whose return value flows into a sink (detected via call chain analysis).

This is a structural approximation — it is not full data-flow.  False positives are
expected; use it to prioritise manual review, not as a definitive scanner.

Args:
    repo_name: Repository to analyse.

Returns:
    List of dicts with keys:
        ``entity_fqn``, ``write_method_fqn``, ``read_method_fqn``,
        ``read_file_path``, ``risk_level``.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`repo_name`	Yes

Output Schema

TableJSON Schema

Name	Required	Description	Default
`result`	Yes

Tool Definition Quality

A4.5/5.0

Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden. It discloses that the tool approximates second-order injection via structural analysis (write to JPA entity, read to sink), that it's not full data-flow, and that false positives are expected. This goes well beyond a simple 'detect' statement, though it could explicitly state it's read-only (implicit for analysis).

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is well-structured: a one-sentence summary first, then detailed explanation of the injection pattern and approximation, followed by limitations, args, and returns. Every sentence adds value, and the front-loading ensures key info is immediately visible. It's perfectly concise for the tool's complexity.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

The description fully explains the detection approach, limitations (structural approximation, false positives), and output format. The output schema is described in the description, so agents understand return values. Given the tool's complexity and the presence of sibling analysis tools, this is a complete and self-contained description.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The schema coverage is 0% (no parameter descriptions in schema), but the description adds 'repo_name: Repository to analyse.' While minimal, this clarifies the parameter's role beyond the schema's title. The parameter is self-explanatory, and the description compensates adequately for the lack of schema coverage.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool detects second-order injection patterns, describes the two-step (write then read) process, and explicitly labels it as a structural approximation. This differentiates it from sibling taint analysis tools like find_taint_flows, which handle direct flows. The verb 'Detect' and specific resource 'second-order injection patterns' provide a precise purpose.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description gives clear context: it's an approximation, not a definitive scanner, to be used for prioritizing manual review. This implies when to use (for discovery) and when not (as sole decision). It does not explicitly name alternatives, but the sibling list provides that context. The guidance on false positives is valuable.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/srinivasan-sundaresan95/orihime'

If you have feedback or need assistance with the MCP directory API, please join our Discord server