17 tools. 10 can modify or destroy data without limits.
3 destructive tools with no built-in limits. Policy required.
Last updated:
Destructive tools (sheets_spreadsheets_values_batchClear, sheets_spreadsheets_values_batchClearByDataFilter, sheets_spreadsheets_values_clear) permanently delete resources. There is no undo. An agent calling these in a retry loop causes irreversible damage.
Write operations (sheets_spreadsheets_batchUpdate, sheets_spreadsheets_create, sheets_spreadsheets_sheets_copyTo) modify state. Without rate limits, an agent can make hundreds of changes in seconds — faster than any human can review or revert.
Intercept sits between your agent and Google Workspace Sheets (gws CLI). Every tool call checked against your policy before it executes — so your agent can do its job without breaking things.
npx -y @policylayer/intercept scan -- npx -y @gws mcp -s sheets sheets_spreadsheets_values_batchClear:
rules:
- action: deny Destructive tools should never be available to autonomous agents without human approval.
sheets_spreadsheets_batchUpdate:
rules:
- rate_limit: 30/hour Prevents bulk unintended modifications from agents caught in loops.
sheets_spreadsheets_developerMetadata_get:
rules:
- rate_limit: 60/minute Controls API costs and prevents retry loops from exhausting upstream rate limits.
Yes. The Google Workspace Sheets (gws CLI) server exposes 3 destructive tools including sheets_spreadsheets_values_batchClear, sheets_spreadsheets_values_batchClearByDataFilter, sheets_spreadsheets_values_clear. These permanently remove resources with no undo. Intercept blocks destructive tools by default so they never reach the upstream server.
The Google Workspace Sheets (gws CLI) server has 7 write tools including sheets_spreadsheets_batchUpdate, sheets_spreadsheets_create, sheets_spreadsheets_sheets_copyTo. Set rate limits in your policy file -- for example, rate_limit: 10/hour prevents an agent from making more than 10 modifications per hour. Intercept enforces this at the transport layer.
17 tools across 3 categories: Destructive, Read, Write. 7 are read-only. 10 can modify, create, or delete data.
One line change. Instead of running the Google Workspace Sheets (gws CLI) server directly, prefix it with Intercept: intercept -c google-workspace-sheets.yaml -- npx -y @@gws mcp -s sheets. Download a pre-built policy from policylayer.com/policies/google-workspace-sheets and adjust the limits to match your use case.
Starter policies available for each. Same risk classification, same one-command setup.
Set budgets, approvals, and hard limits across MCP servers.
npx -y @policylayer/intercept init