Skip to content

Tool description misleads LLMs about __in filter support — silently returns all records #79

@davidpechcz

Description

@davidpechcz

Steps to Reproduce

MCP client: Claude Code (claude-opus-4-6)

  1. Find a VM with multiple interfaces:

    netbox_get_objects("virtualization.vminterface", {"virtual_machine_id": 306599})
    # Returns 2 interfaces: eth0 (ID: 621493), eth1 (ID: 631527)
  2. Query IPs using __in suffix as suggested by the tool description (Lookup suffixes: ... in):

    netbox_get_objects("ipam.ipaddress", {"vminterface_id__in": [621493, 631527]}, limit=10)
  3. Also tried with comma-separated string:

    netbox_get_objects("ipam.ipaddress", {"vminterface_id__in": "621493,631527"}, limit=10)

Expected Behavior

Should return 5 IP addresses (3 for eth0 + 2 for eth1), same as querying each interface individually:

netbox_get_objects("ipam.ipaddress", {"vminterface_id": 621493})  # Returns 3 IPs ✅
netbox_get_objects("ipam.ipaddress", {"vminterface_id": 631527})  # Returns 2 IPs ✅

Observed Behavior

Both __in queries return >1k results — effectively every IP address in NetBox. The filter is silently ignored by NetBox/Django REST Framework (no error returned), so the LLM has no way to detect the failure and proceeds to work with incorrect data.

The tool description actively encourages this pattern:

Valid: Lookups like {'name__ic': 'switch', 'id__in': [1,2,3], 'vid__gte': 100}
Lookup suffixes: n, ic, nic, isw, nisw, iew, niew, ie, nie, empty, regex, iregex, lt, lte, gt, gte, in

This implies __in works universally on all fields, but relationship fields like vminterface_id on ipam.ipaddress only support exact match. The same issue was confirmed with assigned_object_id__in.

Suggested fix: Add a warning to the tool description that not all fields support all lookup suffixes, and that unsupported lookups are silently ignored by NetBox (returning all records). Optionally, the MCP server could detect suspiciously large result sets when restrictive filters were provided.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions