Claude Team MCP

94 tools. 47 can modify or destroy data without limits.

4 destructive tools with no built-in limits. Policy required.

Last updated:

47 can modify or destroy data
47 read-only
94 tools total

Community server · catalogue entry verified 02/07/2026

How to control Claude Team MCP ↓

What Claude Team MCP exposes to your agents

Read (47) Write / Execute (42) Destructive / Financial (4)
Critical Risk

The most dangerous Claude Team MCP tools

47 of Claude Team MCP's 94 tools can modify, destroy, or commit something on every call — and an agent calls them with no built-in limits.

How to control Claude Team MCP

PolicyLayer is an MCP gateway — it sits between your AI agents and Claude Team MCP, and nothing reaches the server without passing your rules. These are the rules we recommend:

Deny destructive operations
{
  "gateway_delete_credential": {
    "deny_if": [
      {
        "conditions": [],
        "on_deny": "Blocked by default. Requires approval."
      }
    ]
  }
}

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations
{
  "add_task": {
    "limits": [
      {
        "counter": "add_task_per_hour",
        "window": "hour",
        "max": 30,
        "scope": "grant"
      }
    ]
  }
}

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
{
  "acknowledge": {
    "limits": [
      {
        "counter": "acknowledge_per_minute",
        "window": "minute",
        "max": 60,
        "scope": "grant"
      }
    ]
  }
}

Controls API costs and prevents retry loops from exhausting upstream rate limits.

  1. Create a free account and register Claude Team MCP — nothing to install.
  2. Add these rules — paste them, or build them visually. Tune the limits to your setup.
  3. Point your MCP client (Claude, Cursor, anything) at your gateway URL.
ENFORCE POLICY ON CLAUDE TEAM →

Instant setup, no code required.

All 94 Claude Team MCP tools

WRITE 31 tools
Write add_task add_task Write assign_fix Assign a confirmed finding to a developer agent to fix, creating a linked Write assign_work assign_work Write auto_assign Auto-assign a task to the best-matching IDLE agent based on declared skills Write backup_now Force an immediate backup snapshot of the whole team state. Write brain_add brain_add Write brain_daily Append to today's daily journal in the second brain (or a given date). Write brain_link Connect two second-brain notes (builds the knowledge graph). Write cast_vote Cast a vote in the current debate. Complements the judge: votes are tallied Write close_agent close_agent Write gateway_add_route gateway_add_route Write gateway_generate_adapter gateway_generate_adapter Write gateway_register_mcp gateway_register_mcp Write gateway_set_credential Store a secret in the hub vault (a separate, chmod-600 file). Targets reference Write gateway_set_limit Set a per-minute call rate limit (per agent). Empty target sets the global Write gateway_toggle Enable or disable a target without deleting its config. Write git_link Link a git branch or commit to a task, so the board records which code Write join_team Register yourself as a team member. Call ONCE at the start of a session. Write post_message Post a message to the shared team channel. Agents on wait_for_message wake instantly. Write report_finding report_finding Write restore_backup Restore team state from a backup (e.g. after corruption or a bad reset). Write revise_proposal revise_proposal Write save_note Save project knowledge to shared memory (decisions, conventions, gotchas). Write save_summary Save a compact progress summary. TOKEN-SAVING: write a summary when context Write save_template save_template Write set_fact Store a key-value fact (deadline, version, base URL...). Overwrites same key. Write set_skills Declare what an agent is good at, so the PM can auto-assign matching tasks. Write set_status set_status Write submit_critique submit_critique Write submit_proposal submit_proposal Write update_task update_task
READ 47 tools
Read acknowledge Mark messages as READ by you (a read receipt). Lets the team see who has Read brain_backlinks Show every note connected to this one (backlinks / related notes). Read brain_get Read one second-brain note in full, with its links. Read brain_list Overview of the whole second brain: note count, categories, recent titles, journal days. Read brain_search Search your second brain by text, category, or tag. Read check_conflicts Conflict detection: flag risks where agents may collide — multiple agents Read context_checkpoint context_checkpoint Read export_report Generate a Markdown project report (metrics, task board, decisions, recent Read gateway_audit Show the central audit trail: who called what, when, status, latency. Read gateway_capabilities gateway_capabilities Read gateway_describe Show full config + cached capabilities for one target (credential masked). Read gateway_discover gateway_discover Read gateway_list_credentials List vault credential KEYS only (never the values). Read gateway_list_routes List routing rules, highest priority first. Read gateway_list_targets List registered targets (credentials are never shown). Read gateway_usage Show per-target usage stats (calls, errors, last used) and configured limits. Read get_debate See the full state of the current debate: topic, all proposals, all critiques Read get_facts Retrieve a fact, or all facts if no key given. Read get_finding Read one finding in full (description, recommendation, status history). Read judge_debate judge_debate Read list_backups List available state backups you can restore from. Read list_findings list_findings Read list_running_agents List terminal agents spawned via spawn_agent. Read list_templates List saved workflow templates. Read load_summary Load a saved summary to restore context cheaply. Read metrics Show team metrics: agent count, message volume, task breakdown, decisions made. Read network_info network_info Read next_round Advance the debate to the next critique round (the judge/PM calls this). Read obsidian_sync obsidian_sync Read ping ping Read project_log View the timestamped project activity history. Read read_channel Read channel messages WITHOUT waiting (instant snapshot). Read read_receipts See who has read up to a given message (or the latest). Useful to check if Read recover_tasks recover_tasks Read safe_call safe_call Read score_debate Debate quality scoring: rate each agent's contribution in the current debate Read search_notes Search the project knowledge base (saves tokens vs re-reading files). Read security_report Generate a full security report (findings by severity, status summary, Read smart_search smart_search Read suggest_route Smart routing: given a message or task description, suggest which agent is Read timeline Show a chronological timeline of the whole project (joins, tasks, decisions, Read triage_finding triage_finding Read verify_fix verify_fix Read view_board View the task board and who's online (auto-marks stale agents offline). Read vote_tally Show the current vote tally in the active debate (the judge uses this as Read webhook_notify webhook_notify Read who_is_free List agents that are IDLE (finished their work and ready for a new task).

Related servers

Other MCP servers with similar tools — same risk classification, starter policies for each.

Questions about Claude Team MCP

Can an AI agent delete data through the Claude Team MCP server? +

Yes. The Claude Team MCP server exposes 4 destructive tools including gateway_delete_credential, gateway_remove_route, gateway_unregister. These permanently remove resources with no undo. PolicyLayer blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through Claude Team MCP? +

The Claude Team MCP server has 31 write tools including add_task, assign_fix, assign_work. Set a rate limit in your policy -- for example, 10 calls per hour prevents an agent from making more than 10 modifications per hour. PolicyLayer enforces this at the gateway, before calls reach Claude Team MCP.

How many tools does the Claude Team MCP server expose? +

94 tools across 4 categories: Destructive, Execute, Read, Write. 47 are read-only. 47 can modify, create, or delete data.

How do I enforce a policy on Claude Team MCP? +

Register the Claude Team MCP server in PolicyLayer, apply the suggested rules above (adjust the limits to your use case), and point your AI client at the PolicyLayer proxy URL instead of the server directly. Your agents keep the same tools; PolicyLayer evaluates every call against policy before it executes. Nothing to install, live in minutes.

Enforce policy on every Claude Team MCP tool call.

Deterministic rules across all 94 Claude Team MCP tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

Instant setup, no code required.

94 Claude Team MCP tools catalogued and risk-classified — across an index of 43,000+ MCP servers.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.