// SCAN REPORT

Fleet

132 tools. 57 can modify or destroy data without limits.

15 destructive tools with no built-in limits. Policy required.

Last updated: 5 Apr 2026

57 can modify or destroy data

75 read-only

132 tools total

// TOOL MAP

Read (75) Write / Execute (42) Destructive / Financial (15)

// WHAT CAN GO WRONG

Destructive tools (fleet_delete_bootstrap_package, fleet_delete_host, fleet_delete_invite) permanently delete resources. There is no undo. An agent calling these in a retry loop causes irreversible damage.

Write operations (fleet_add_app_store_app, fleet_add_labels_to_host, fleet_add_team_users) modify state. Without rate limits, an agent can make hundreds of changes in seconds — faster than any human can review or revert.

Execute tools (fleet_install_software, fleet_lock_device, fleet_lock_host) trigger processes with side effects. Builds, notifications, workflows — all fired without throttling.

One command. Full control.

Intercept sits between your agent and Fleet. Every tool call checked against your policy before it executes — so your agent can do its job without breaking things.

npx -y @policylayer/intercept scan -- npx -y @fleet-mcp

Scans every tool. Generates a policy. Starts enforcing.

Works with Claude Code · Cursor · Claude Desktop · Windsurf · any MCP client

// RECOMMENDED RULES

Deny destructive operations

fleet_delete_bootstrap_package:
  rules:
    - action: deny

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations

fleet_add_app_store_app:
  rules:
    - rate_limit: 30/hour

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations

fleet_find_software_on_host:
  rules:
    - rate_limit: 60/minute

Controls API costs and prevents retry loops from exhausting upstream rate limits.

// ALL 132 FLEET TOOLS

DESTRUCTIVE 15 tools

EXECUTE 10 tools

Execute fleet_install_software Execute fleet_lock_device Execute fleet_lock_host Execute fleet_query_host Execute fleet_query_host_by_identifier Execute fleet_refetch_host Execute fleet_run_batch_script Execute fleet_run_live_query_with_results Execute fleet_run_saved_query Execute fleet_run_script

WRITE 32 tools

READ 75 tools

Read fleet_find_software_on_host Read fleet_get_batch_script Read fleet_get_bootstrap_metadata Read fleet_get_bootstrap_summary Read fleet_get_carve Read fleet_get_carve_block Read fleet_get_certificate Read fleet_get_config Read fleet_get_cve Read fleet_get_device_info Read fleet_get_enroll_secrets Read fleet_get_filevault_summary Read fleet_get_host Read fleet_get_host_by_identifier Read fleet_get_host_device_mapping Read fleet_get_host_encryption_key Read fleet_get_host_macadmins Read fleet_get_host_mdm Read fleet_get_host_mdm_profiles Read fleet_get_host_software Read fleet_get_label Read fleet_get_mdm_command_results Read fleet_get_mdm_profiles_summary Read fleet_get_osquery_table_schema Read fleet_get_pack Read fleet_get_policy_results Read fleet_get_query Read fleet_get_query_report Read fleet_get_script Read fleet_get_script_result Read fleet_get_session Read fleet_get_setup_assistant Read fleet_get_software Read fleet_get_software_install_result Read fleet_get_software_title Read fleet_get_team Read fleet_get_team_secrets Read fleet_get_user Read fleet_get_version Read fleet_get_vulnerabilities Read fleet_health_check Read fleet_list_activities Read fleet_list_app_store_apps Read fleet_list_batch_script_hosts Read fleet_list_batch_scripts Read fleet_list_carves Read fleet_list_host_certificates Read fleet_list_host_past_activities Read fleet_list_host_scripts Read fleet_list_host_upcoming_activities Read fleet_list_hosts Read fleet_list_invites Read fleet_list_labels Read fleet_list_mdm_apple_installers Read fleet_list_mdm_commands Read fleet_list_mdm_devices Read fleet_list_mdm_profiles Read fleet_list_osquery_tables Read fleet_list_packs Read fleet_list_policies Read fleet_list_queries Read fleet_list_scheduled_queries Read fleet_list_scripts Read fleet_list_secrets Read fleet_list_software Read fleet_list_software_titles Read fleet_list_team_users Read fleet_list_teams Read fleet_list_user_sessions Read fleet_list_users Read fleet_list_vpp_tokens Read fleet_search_hosts Read fleet_search_software Read fleet_suggest_tables_for_query Read fleet_verify_invite

// FAQ

Can an AI agent delete data through the Fleet MCP server? +

Yes. The Fleet server exposes 15 destructive tools including fleet_delete_bootstrap_package, fleet_delete_host, fleet_delete_invite. These permanently remove resources with no undo. Intercept blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through Fleet? +

The Fleet server has 32 write tools including fleet_add_app_store_app, fleet_add_labels_to_host, fleet_add_team_users. Set rate limits in your policy file -- for example, rate_limit: 10/hour prevents an agent from making more than 10 modifications per hour. Intercept enforces this at the transport layer.

How many tools does the Fleet MCP server expose? +

132 tools across 4 categories: Destructive, Execute, Read, Write. 75 are read-only. 57 can modify, create, or delete data.

How do I add Intercept to my Fleet setup? +

One line change. Instead of running the Fleet server directly, prefix it with Intercept: intercept -c io-github-simplyminimal-fleet-mcp.yaml -- npx -y @fleet-mcp. Download a pre-built policy from policylayer.com/policies/io-github-simplyminimal-fleet-mcp and adjust the limits to match your use case.

// RELATED SERVERS

Other MCP servers with similar tools.

Starter policies available for each. Same risk classification, same one-command setup.

policylayer/intercept

Control every MCP tool call
your agent makes.

Set budgets, approvals, and hard limits across MCP servers.

npx -y @policylayer/intercept init

Protect your agent in 30 seconds. Scans your MCP config and generates enforcement policies for every server.

Fleet

One command. Full control.

Other MCP servers with similar tools.

Control every MCP tool call your agent makes.

Control every MCP tool call
your agent makes.