// SCAN REPORT

Shellgate

31 tools. 15 can modify or destroy data without limits.

3 destructive tools with no built-in limits. Policy required.

Last updated:

15 can modify or destroy data
16 read-only
31 tools total

Community server · catalogue entry verified 11/06/2026

How to control Shellgate ↓

TOOL MAP

What Shellgate exposes to your agents

Read (16) Write / Execute (12) Destructive / Financial (3)

Running more than one server? Check your whole stack →

MOST DANGEROUS TOOLS
Critical Risk

The most dangerous Shellgate tools

Destructive · High memory_delete This tool permanently removes stored data (memories/context) without recovery option. Destructive · High org_skill_delete This tool performs an irreversible deletion operation on shared organizational data. Destructive · High wiki_delete_page Although described as 'soft delete' (suggesting potential recovery), the tool removes wiki pages from normal access and is categorized as destructive because: (1) deletion/archival of data is irreversible from the user's Execute · High ssh_exec SSH command execution is inherently an Execute risk—it triggers external operations (shell commands on remote servers) whose effects depend on the arguments provided.

15 of Shellgate's 31 tools can modify, destroy, or commit something on every call — and an agent calls them with no built-in limits.

POLICY

How to control Shellgate

PolicyLayer is an MCP gateway — it sits between your AI agents and Shellgate, and nothing reaches the server without passing your rules. These are the rules we recommend:

Deny destructive operations
{
  "memory_delete": {
    "deny_if": [
      {
        "conditions": [],
        "on_deny": "Blocked by default. Requires approval."
      }
    ]
  }
}

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations
{
  "webhook_ack": {
    "limits": [
      {
        "counter": "webhook_ack_per_hour",
        "window": "hour",
        "max": 30,
        "scope": "grant"
      }
    ]
  }
}

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
{
  "bootstrap": {
    "limits": [
      {
        "counter": "bootstrap_per_minute",
        "window": "minute",
        "max": 60,
        "scope": "grant"
      }
    ]
  }
}

Controls API costs and prevents retry loops from exhausting upstream rate limits.

  1. Create a free account and register Shellgate — nothing to install.
  2. Add these rules — paste them, or build them visually. Tune the limits to your setup.
  3. Point your MCP client (Claude, Cursor, anything) at your gateway URL.
ENFORCE POLICY ON SHELLGATE →

Free to start. No card required.

FULL CATALOGUE

All 31 Shellgate tools

DESTRUCTIVE 3 tools
Destructive memory_delete Delete a memory that is outdated, incorrect, or superseded. Prefer updating (delete + add) over keeping stale Destructive org_skill_delete Delete a shared organization skill from Shellgate Destructive wiki_delete_page Archive a wiki page (soft delete). Sets status to
EXECUTE 3 tools
Execute ssh_exec Execute a command on an SSH target. If the response has status Execute api_request Proxy an HTTP request through the gateway to an upstream API target. If the response has status Execute blind_type Type a sensitive vault field value using keyboard events. The target field must be focused. The secret never a
WRITE 9 tools
Write webhook_ack Acknowledge processed webhook events Write blind_fill Fill a sensitive vault field into a browser element via CSS selector. The secret never appears in the agent co Write mail_draft Create a draft email in the Drafts folder. Write mail_flag Set or unset flags on an email (e.g. \\\\Seen, \\\\Flagged). Write mail_move Move an email to a different folder. Write mail_send Send an email. Requires approval — first call returns approval_required, re-call with approved: true after use Write memory_add Store a fact, preference, or learning. Rules: - summary: one-line description (max 500 chars) — this is the in Write org_skill_upsert Create or update a shared organization skill in Shellgate. Content must be full markdown with YAML frontmatter Write wiki_upsert_page Create or update a wiki page. For updates, pass expectedVersion for optimistic concurrency. Write-back pattern
READ 16 tools
Read bootstrap Returns all targets, skills, webhooks, memories, wiki pages, and vaults. Call at session start if not already Read api_download Download an image response from an API target through Shellgate and return a temporary MCP resource link. Use Read discover Alias for bootstrap — returns targets, skills, webhooks, memories, wiki pages, and vaults. Read mail_attachment Download an email attachment by UID and part ID. Returns base64-encoded content. Read mail_folders List all folders/labels in the mailbox. Read mail_read Read a full email message by UID. Returns from, to, cc, subject, date, text, html, flags, and attachment metad Read mail_search Search emails in a mailbox. Returns message list with uid, from, to, subject, date, flags. Read memory_list Returns a compact index of all accessible memories (id, summary, visibility, user, updatedAt). Call at session Read memory_read Returns the full content of a specific memory. Only fetch memories relevant to your current task — don Read org_skill_list List all organization-wide skills shared across Shellgate agents (slug and description) Read org_skill_read Read the full content of a shared organization skill from Shellgate Read vault_search Search for credential items in vaults accessible to this token. Returns item handles with non-sensitive field Read webhook_poll Poll for pending webhook events Read wiki_lint_page Validate a wiki page Read wiki_list_pages Browse the wiki index. Returns slug, title, namespace, tags, summary, status, version, updatedAt, updatedBy fo Read wiki_read_page Read a wiki page
EXPLORE

Related servers

Other MCP servers with similar tools — same risk classification, starter policies for each.

Sperax Ecosystem Crypto & DeFI MCP Server 1318 tools
adminautomation
Mcp Afip 1300 tools
adminautomation
Mcp Ap2 1300 tools
adminautomation
BNB Chain MCP 1240 tools
adminautomation
Nodebench 824 tools
adminautomation
Amazon Bedrock Knowledge Base Retrieval MCP Server 805 tools
adminautomation
Amazon Data Processing MCP Server 805 tools
adminautomation
Amazon ECS MCP Server 805 tools
adminautomation
FAQ

Questions about Shellgate

Can an AI agent delete data through the Shellgate MCP server? +

Yes. The Shellgate server exposes 3 destructive tools including memory_delete, org_skill_delete, wiki_delete_page. These permanently remove resources with no undo. PolicyLayer blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through Shellgate? +

The Shellgate server has 9 write tools including webhook_ack, blind_fill, mail_draft. Set a rate limit in your policy -- for example, 10 calls per hour prevents an agent from making more than 10 modifications per hour. PolicyLayer enforces this at the gateway, before calls reach Shellgate.

How many tools does the Shellgate MCP server expose? +

31 tools across 4 categories: Destructive, Execute, Read, Write. 16 are read-only. 15 can modify, create, or delete data.

How do I enforce a policy on Shellgate? +

Register the Shellgate MCP server in PolicyLayer, apply the suggested rules above (adjust the limits to your use case), and point your AI client at the PolicyLayer proxy URL instead of the server directly. Your agents keep the same tools; PolicyLayer evaluates every call against policy before it executes. Nothing to install, live in minutes.

Enforce policy on every Shellgate tool call.

Deterministic rules across all 31 Shellgate tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

ENFORCE POLICY ON SHELLGATE →

Free to start. No card required.

31 Shellgate tools catalogued and risk-classified — across an index of 43,000+ MCP servers.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.