VulneraMCP

db.save_finding

Store vulnerability findings in a database for bug bounty programs, capturing target, type, severity, description, payload, response, and score data.

Instructions

Save a bug finding to the database

Input Schema

TableJSON Schema

Name	Required	Description
`target`	Yes	Target URL or domain
`type`	Yes	Vulnerability type
`severity`	Yes	Severity level
`description`	Yes	Finding description
`payload`	No	Payload used
`response`	No	Response data
`score`	No	Severity score (0-10)

Implementation Reference

src/tools/database.ts:36-54 (handler)

The core handler function for the 'db.save_finding' MCP tool. It constructs a Finding object from input params, calls the saveFinding helper to persist it to Postgres, and returns a formatted ToolResult.

async (params: any): Promise<ToolResult> => {
  try {
    const finding: Finding = {
      target: params.target,
      type: params.type,
      severity: params.severity,
      description: params.description,
      payload: params.payload,
      response: params.response,
      timestamp: new Date(),
      score: params.score || 0,
    };

    const id = await saveFinding(finding);
    return formatToolResult(true, { id, finding });
  } catch (error: any) {
    return formatToolResult(false, null, error.message);
  }
}

src/tools/database.ts:15-55 (registration)

Registers the 'db.save_finding' tool on the MCP server, including description, input schema, and the handler function.

  'db.save_finding',
  {
    description: 'Save a bug finding to the database',
    inputSchema: {
      type: 'object',
      properties: {
        target: { type: 'string', description: 'Target URL or domain' },
        type: { type: 'string', description: 'Vulnerability type' },
        severity: {
          type: 'string',
          enum: ['low', 'medium', 'high', 'critical'],
          description: 'Severity level',
        },
        description: { type: 'string', description: 'Finding description' },
        payload: { type: 'string', description: 'Payload used' },
        response: { type: 'string', description: 'Response data' },
        score: { type: 'number', description: 'Severity score (0-10)' },
      },
      required: ['target', 'type', 'severity', 'description'],
    },
  },
  async (params: any): Promise<ToolResult> => {
    try {
      const finding: Finding = {
        target: params.target,
        type: params.type,
        severity: params.severity,
        description: params.description,
        payload: params.payload,
        response: params.response,
        timestamp: new Date(),
        score: params.score || 0,
      };

      const id = await saveFinding(finding);
      return formatToolResult(true, { id, finding });
    } catch (error: any) {
      return formatToolResult(false, null, error.message);
    }
  }
);

src/tools/database.ts:18-34 (schema)

Input schema for the db.save_finding tool, defining parameters like target, type, severity, etc.

inputSchema: {
  type: 'object',
  properties: {
    target: { type: 'string', description: 'Target URL or domain' },
    type: { type: 'string', description: 'Vulnerability type' },
    severity: {
      type: 'string',
      enum: ['low', 'medium', 'high', 'critical'],
      description: 'Severity level',
    },
    description: { type: 'string', description: 'Finding description' },
    payload: { type: 'string', description: 'Payload used' },
    response: { type: 'string', description: 'Response data' },
    score: { type: 'number', description: 'Severity score (0-10)' },
  },
  required: ['target', 'type', 'severity', 'description'],
},

src/integrations/postgres.ts:95-117 (helper)

Helper function that performs the actual database insertion of the Finding into the Postgres 'findings' table and returns the generated ID.

export async function saveFinding(finding: Finding): Promise<number> {
  const client = await initPostgres().connect();
  try {
    const result: QueryResult = await client.query(
      `INSERT INTO findings (target, type, severity, description, payload, response, score, timestamp)
       VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
       RETURNING id`,
      [
        finding.target,
        finding.type,
        finding.severity,
        finding.description,
        finding.payload || null,
        finding.response || null,
        finding.score || 0,
        finding.timestamp,
      ]
    );
    return result.rows[0].id;
  } finally {
    client.release();
  }
}

src/types/index.ts:44-54 (schema)

TypeScript interface defining the structure of a Finding object used by db.save_finding.

export interface Finding {
  id?: string;
  target: string;
  type: string;
  severity: 'low' | 'medium' | 'high' | 'critical';
  description: string;
  payload?: string;
  response?: string;
  timestamp: Date;
  score?: number;
}

Tool Definition Quality

C2.9/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries full burden for behavioral disclosure. It states 'Save' which implies a write/mutation operation, but doesn't disclose critical behavioral traits: whether this creates new records or updates existing ones, authentication requirements, potential side effects, error conditions, or what happens on success/failure. The description is minimal and lacks necessary operational context.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is extremely concise at just 6 words, front-loading the essential action and resource. There's zero wasted language or unnecessary elaboration. Every word earns its place in conveying the core functionality.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a write operation tool with 7 parameters, no annotations, and no output schema, the description is incomplete. It doesn't address what the tool returns, error handling, success conditions, or how it differs from sibling tools. The minimal description leaves significant gaps in understanding the tool's full behavior and integration context.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, so all parameters are documented in the schema. The description adds no additional parameter semantics beyond what's in the schema - it doesn't explain relationships between parameters (e.g., how 'score' relates to 'severity'), format expectations, or usage examples. The baseline of 3 is appropriate when the schema does the heavy lifting.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the action ('Save') and resource ('a bug finding to the database'), making the purpose immediately understandable. However, it doesn't differentiate from sibling tools like 'db.get_findings' or 'db.get_statistics', which would require mentioning this is specifically for creating/adding new findings rather than retrieving existing ones.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides no guidance on when to use this tool versus alternatives. It doesn't mention prerequisites (e.g., needing a valid bug finding to save), nor does it differentiate from sibling tools like 'db.get_findings' (for retrieval) or other database operations. Usage context is implied but not explicitly stated.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/telmon95/VulneraMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server