AF_MCP

72 tools. 29 can modify or destroy data without limits.

9 destructive tools with no built-in limits. Policy required.

Last updated:

29 can modify or destroy data
43 read-only
72 tools total

Community server · catalogue entry verified 03/07/2026

How to control AF_MCP ↓

What AF_MCP exposes to your agents

Read (43) Write / Execute (20) Destructive / Financial (9)
Critical Risk

The most dangerous AF_MCP tools

29 of AF_MCP's 72 tools can modify, destroy, or commit something on every call — and an agent calls them with no built-in limits.

How to control AF_MCP

PolicyLayer is an MCP gateway — it sits between your AI agents and AF_MCP, and nothing reaches the server without passing your rules. These are the rules we recommend:

Deny destructive operations
{
  "block_add_business": {
    "deny_if": [
      {
        "conditions": [],
        "on_deny": "Blocked by default. Requires approval."
      }
    ]
  }
}

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations
{
  "apply_blacklist_add": {
    "limits": [
      {
        "counter": "apply_blacklist_add_per_hour",
        "window": "hour",
        "max": 30,
        "scope": "grant"
      }
    ]
  }
}

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
{
  "account_config_status": {
    "limits": [
      {
        "counter": "account_config_status_per_minute",
        "window": "minute",
        "max": 60,
        "scope": "grant"
      }
    ]
  }
}

Controls API costs and prevents retry loops from exhausting upstream rate limits.

  1. Create a free account and register AF_MCP — nothing to install.
  2. Add these rules — paste them, or build them visually. Tune the limits to your setup.
  3. Point your MCP client (Claude, Cursor, anything) at your gateway URL.
ENFORCE POLICY ON AF_MCP →

Instant setup, no code required.

All 72 AF_MCP tools

WRITE 16 tools
Write apply_blacklist_add 提交黑名单 IP 添加。需先调用 preview_blacklist_add,确认后以 confirmed=True 调用。 Write apply_blacklist_unblock 【应急】解封某一次封禁动作(DELETE 设备黑名单项 + 更新 action 状态为 unblocked)。 Write apply_nat_rule 提交 NAT 规则变更。需先调用 preview_nat_rule,确认后以 confirmed=True 调用。 Write apply_security_policy 提交安全策略变更。必须先调用 preview_security_policy 确认内容, Write apply_static_route 提交静态路由变更。需先调用 preview_static_route,确认后以 confirmed=True 调用。 Write auth_login 登录 AF 设备并建立当前 host/namespace 的本地会话。 Write block_add_attackers 批量新增封锁攻击者,并在执行前进行白名单和人工确认校验。 Write block_add_exceptions 批量新增例外封锁配置。 Write block_set_block_time 修改自动封锁攻击者时间配置。 Write block_update_exception 修改单项例外封锁配置。 Write block_update_exceptions 批量修改例外封锁配置。 Write preview_blacklist_add preview_blacklist_add Write set_usg_connection 通过聊天输入并持久化 USG6000F 连接账号;保存连接信息后,调用真实设备 API 前仍需先执行 usg_login。 Write set_whitelist_file 设置当前全局白名单文件路径,并持久化到本地配置文件。 Write usg_apply_blacklist_add 向 USG6000F 实际下发黑名单封禁,需先预览并传 confirmed=true。 Write usg_apply_blacklist_unblock 按 action_id 实际执行 USG 黑名单解封,需 confirmed=true。
READ 43 tools
Read account_config_status 返回当前账号默认配置状态,不回显明文密码。 Read agent_info 返回当前智能体脚手架状态、传输方式和已规划工具范围。 Read auth_keepalive 维持当前 host/namespace 的登录 token 不超时。 Read block_get_block_time 获取自动封锁攻击者时间配置。 Read block_get_total_count 获取当前命名空间下的封锁总条数。 Read block_list_attackers 查询封锁攻击者 IP 列表。 Read block_list_business 查询业务封锁 IP 列表。 Read block_list_exceptions 查询例外封锁配置列表。 Read block_list_temp 查询临时封锁 IP 列表。 Read check_whitelist_targets 检查一组目标是否命中当前白名单规则。 Read get_acl_rules 查询 ACL 列表及规则。 Read get_action_detail 查询单个 action 的完整详情(含 pre_state 快照 + 设备响应 + 审计链)。 Read get_blacklist 查询 IP 黑名单列表。 Read get_confirm_mode 返回当前有效的确认模式,用于判断高风险写操作按 手动 还是 自动 处理。 Read get_interfaces 查询接口信息,包含接口状态、IP 地址、描述等。 Read get_ipsec_tunnels 查询 IPSec VPN 隧道状态列表。 Read get_nat_rules 查询 NAT 规则。 Read get_security_policies 查询安全策略列表。 Read get_sessions 查询当前会话表(连接状态)。 Read get_static_routes 查询 IPv4 静态路由表。 Read get_whitelist_config 返回当前有效的白名单文件配置与规则统计。 Read get_whitelist_rules 返回当前生效白名单文件的完整规则配置。 Read list_actions 查询最近的处置动作记录(支持按 IP 或状态过滤)。 Read preview_blacklist_unblock 预览解封某一次封禁动作(按 action_id)。 Read preview_nat_rule preview_nat_rule Read preview_security_policy preview_security_policy Read preview_static_route 预览静态路由新增或修改(不实际下发)。 Read unblock_recent 【紧急批量回退】一键解封最近 N 分钟内的所有自动封禁(对应合同 10% 罚则的最快应急路径)。 Read usg_connection_status 查看当前 USG6000F 连接配置状态,不回显明文密码。 Read usg_get_action_detail 查询单个 USG 处置动作的完整详情。 Read usg_get_blacklist 查询 USG6000F 当前黑名单列表,可按 IP 过滤。 Read usg_list_actions 查询最近的 USG 处置动作记录。 Read usg_logout 清除当前 USG6000F 的本地登录态;之后调用真实设备 API 需重新执行 usg_login。 Read usg_preview_blacklist_add 预览向 USG6000F 黑名单添加 IP 的标准化处置指令,不实际下发。 Read usg_preview_blacklist_unblock 按 action_id 预览 USG 黑名单解封操作。 Read usg_unblock_recent 批量回滚最近 N 分钟内的 USG 自动封禁。 Read usg_whitelist_check 对指定 IP 执行 USG 五层白名单校验。 Read usg_whitelist_list 查询当前加载的全部 USG 白名单条目。 Read usg_whitelist_stats 查看 USG 白名单引擎状态与命中统计。 Read whitelist_check 对给定 IP 做五层白名单校验(仅查询,不修改任何状态)。用于人工核对或研判智能体自检。 Read whitelist_list 查询当前已加载的全部白名单条目(五层)。 Read whitelist_reload 热加载/重新加载白名单 YAML。 Read whitelist_stats 查询白名单运行统计(命中数、命中率、按层分布)+ 引擎状态。

Related servers

Other MCP servers with similar tools — same risk classification, starter policies for each.

Questions about AF_MCP

Can an AI agent delete data through the AF_ MCP server? +

Yes. The AF_MCP server exposes 9 destructive tools including block_add_business, block_clear_attackers, block_clear_business. These permanently remove resources with no undo. PolicyLayer blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through AF_MCP? +

The AF_MCP server has 16 write tools including apply_blacklist_add, apply_blacklist_unblock, apply_nat_rule. Set a rate limit in your policy -- for example, 10 calls per hour prevents an agent from making more than 10 modifications per hour. PolicyLayer enforces this at the gateway, before calls reach AF_MCP.

How many tools does the AF_ MCP server expose? +

72 tools across 3 categories: Destructive, Read, Write. 43 are read-only. 29 can modify, create, or delete data.

How do I enforce a policy on AF_MCP? +

Register the AF_ MCP server in PolicyLayer, apply the suggested rules above (adjust the limits to your use case), and point your AI client at the PolicyLayer proxy URL instead of the server directly. Your agents keep the same tools; PolicyLayer evaluates every call against policy before it executes. Nothing to install, live in minutes.

Enforce policy on every AF_MCP tool call.

Deterministic rules across all 72 AF_MCP tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

Instant setup, no code required.

72 AF_MCP tools catalogued and risk-classified — across an index of 43,000+ MCP servers.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.