// SCAN REPORT

Threejs Devtools

60 tools. 27 can modify or destroy data without limits.

5 destructive tools with no built-in limits. Policy required.

Last updated:

27 can modify or destroy data
33 read-only
60 tools total
// TOOL MAP
Read (33) Write / Execute (22) Destructive / Financial (5)
// WHAT CAN GO WRONG

Destructive tools (bounding_boxes, highlight_object, remove_helper) permanently delete resources. There is no undo. An agent calling these in a retry loop causes irreversible damage.

Write operations (add_helper, click_inspect, overlay_selected) modify state. Without rate limits, an agent can make hundreds of changes in seconds — faster than any human can review or revert.

Execute tools (performance_snapshot, run_js) trigger processes with side effects. Builds, notifications, workflows — all fired without throttling.

One command. Full control.

Intercept sits between your agent and Threejs Devtools. Every tool call checked against your policy before it executes — so your agent can do its job without breaking things.

npx -y @policylayer/intercept scan -- npx -y @threejs-devtools-mcp
Scans every tool. Generates a policy. Starts enforcing.
Works with Claude Code · Cursor · Claude Desktop · Windsurf · any MCP client
// RECOMMENDED RULES
Deny destructive operations
bounding_boxes:
  rules:
    - action: deny

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations
add_helper:
  rules:
    - rate_limit: 30/hour

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
animation_details:
  rules:
    - rate_limit: 60/minute

Controls API costs and prevents retry loops from exhausting upstream rate limits.

// ALL 60 THREEJS DEVTOOLS TOOLS
DESTRUCTIVE 5 tools
Destructive bounding_boxes Destructive highlight_object Destructive remove_helper Destructive toggle_overlay Destructive toggle_wireframe
EXECUTE 2 tools
Execute performance_snapshot Execute run_js
WRITE 20 tools
Write add_helper Write click_inspect Write overlay_selected Write scene_export Write scene_tree Write set_animation Write set_camera Write set_dev_port Write set_dev_url Write set_fog Write set_instanced_mesh Write set_layers Write set_light Write set_material_property Write set_morph_target Write set_object_transform Write set_renderer Write set_shadow Write set_texture Write set_uniform
READ 33 tools
Read animation_details Read annotated_screenshot Read bridge_status Read camera_details Read console_capture Read dispose_check Read env_map_details Read find_objects Read fog_details Read geometry_details Read gltf_to_r3f Read instanced_mesh_details Read layer_details Read material_details Read material_list Read memory_stats Read morph_targets Read object_details Read perf_monitor Read postprocessing_list Read raycast Read renderer_info Read renderer_settings Read scene_background Read scene_diff Read shader_list Read shader_source Read shadow_details Read skeleton_details Read take_screenshot Read texture_details Read texture_list Read texture_preview
// FAQ
Can an AI agent delete data through the Threejs Devtools MCP server? +

Yes. The Threejs Devtools server exposes 5 destructive tools including bounding_boxes, highlight_object, remove_helper. These permanently remove resources with no undo. Intercept blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through Threejs Devtools? +

The Threejs Devtools server has 20 write tools including add_helper, click_inspect, overlay_selected. Set rate limits in your policy file -- for example, rate_limit: 10/hour prevents an agent from making more than 10 modifications per hour. Intercept enforces this at the transport layer.

How many tools does the Threejs Devtools MCP server expose? +

60 tools across 4 categories: Destructive, Execute, Read, Write. 33 are read-only. 27 can modify, create, or delete data.

How do I add Intercept to my Threejs Devtools setup? +

One line change. Instead of running the Threejs Devtools server directly, prefix it with Intercept: intercept -c three-js-devtools-mcp.yaml -- npx -y @threejs-devtools-mcp. Download a pre-built policy from policylayer.com/policies/three-js-devtools-mcp and adjust the limits to match your use case.

// RELATED SERVERS

Other MCP servers with similar tools.

Starter policies available for each. Same risk classification, same one-command setup.

Mcp Api 310 tools
adminautomation
Aibtc 288 tools
adminautomation
Google Super 200 tools
adminautomation
Propresenter 177 tools
adminautomation
Leaper Vision Toolkit 169 tools
adminautomation
Apiosk 160 tools
adminautomation
Mcp Sitecore 153 tools
adminautomation
SmartBear MCP 147 tools
adminautomation
policylayer/intercept

Control every MCP tool call
your agent makes.

Set budgets, approvals, and hard limits across MCP servers.

npx -y @policylayer/intercept init
Protect your agent in 30 seconds. Scans your MCP config and generates enforcement policies for every server.
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.