Critical-Risk MCP Tools
Critical-risk MCP tools destroy data or move money. Both actions are irreversible, and both can be completed in a single call. These tools share a policy requirement: blocked by default, enabled only with human approval and per-transaction limits.
Attacks targeting critical-risk tools
Named attack patterns where tools at this severity have produced real incidents. Each links to the full case and the defensive policy.
Servers with critical-risk tools
Showing 50 of 3422 servers. Each server link opens its capability-level browse; each tool opens its profile with the recommended policy.
- Mcp Ap2 350 critical-risk tools
- Mcp Afip 282 critical-risk tools
- GoHighLevel MCP Server 247 critical-risk tools
- Binance MCP Server 203 critical-risk tools
- Sperax Ecosystem Crypto & DeFI MCP Server 188 critical-risk tools
- BNB Chain MCP 181 critical-risk tools
- AdButler 114 critical-risk tools
- Aibtc 80 critical-risk tools
- Storyblok MCP Server 73 critical-risk tools
- TheProtocol — Sovereign AI Agent Platform 69 critical-risk tools
- Amazon Data Processing MCP Server 68 critical-risk tools
- AWS Labs Aurora DSQL MCP Server 66 critical-risk tools
- AWS Labs CloudTrail MCP Server 66 critical-risk tools
- AWS Labs postgres MCP Server 66 critical-risk tools
- AWS Pricing MCP Server 66 critical-risk tools
- Bybit MCP Server 66 critical-risk tools
- Document Loader MCP Server 66 critical-risk tools
- Amazon ECS MCP Server 65 critical-risk tools
- Awslabs Valkey 65 critical-risk tools
- Amazon Translate MCP Server 65 critical-risk tools
- AWS Cloud Control API (CCAPI) MCP Server 65 critical-risk tools
- AWS IoT SiteWise MCP Server 65 critical-risk tools
- AWS Labs Amazon Q Business anonymous mode MCP Server 65 critical-risk tools
- AWS Labs MySQL MCP Server 65 critical-risk tools
- AWS Support MCP Server 65 critical-risk tools
- AWS Transform MCP Server 65 critical-risk tools
- 0nmcp 65 critical-risk tools
- Prometheus MCP Server 65 critical-risk tools
- Amazon EKS MCP Server 64 critical-risk tools
- Amazon SageMaker AI MCP Server 64 critical-risk tools
- AWS API MCP Server 64 critical-risk tools
- AWS AppSync MCP Server 64 critical-risk tools
- AWS DocumentDB MCP Server 64 critical-risk tools
- AWS ElastiCache MCP Server 64 critical-risk tools
- AWS Labs Timestream for InfluxDB MCP Server 64 critical-risk tools
- AWS Step Functions Tool MCP Server 64 critical-risk tools
- Amazon Bedrock Knowledge Base Retrieval MCP Server 63 critical-risk tools
- Amazon Redshift MCP Server 63 critical-risk tools
- AWS DynamoDB MCP Server 63 critical-risk tools
- AWS HealthOmics MCP Server 63 critical-risk tools
- AWS Labs amazon-qindex MCP Server 63 critical-risk tools
- AWS Labs AWS For SAP Management MCP Server 63 critical-risk tools
- AWS Serverless MCP Server 63 critical-risk tools
- Amazon MQ MCP Server 62 critical-risk tools
- Awslabs Amazon Sns Sqs 62 critical-risk tools
- AWS Documentation MCP Server 62 critical-risk tools
- AWS HealthImaging MCP Server 62 critical-risk tools
- AWS Infrastructure as Code MCP Server 62 critical-risk tools
- AWS Labs Amazon Kendra Index MCP Server 62 critical-risk tools
- AWS Labs CloudWatch MCP Server 62 critical-risk tools
See all tools in destructive · financial.
Other risk levels
Frequently asked questions
What makes a tool critical risk?
Critical-risk MCP tools perform irreversible operations. Destructive tools permanently delete or destroy resources. Financial tools move real money. Once called, there is no undo at the MCP layer. PolicyLayer classifies these tools together because they share the same policy recommendation: block by default, require human approval with per-transaction limits before enabling.
How should I enforce policy on critical-risk tools?
Default-deny is the baseline. Destructive operations require explicit human approval at the transport layer. Financial operations need per-transaction spending caps, daily budgets, and recipient allowlists. The Intercept policy engine supports all four primitives (deny, require_approval, spend caps, allowlists).
Which MCP servers expose critical-risk tools?
Thousands. Any server that edits state (CRMs, databases, filesystems) has destructive operations. Payment-rail servers (Stripe, crypto wallets, banking APIs) have financial operations. The risk is concentrated in the critical category, not the server.
What attacks target critical-risk tools?
Destructive action autonomy is the most-cited incident class (Amazon Kiro, Replit/SaaStr). Privilege escalation via admin-only tools, runaway tool loops, and data exfiltration via tool chaining all overlap. See the MCP Attack Database for the full catalogue with real cases and defensive policies.
How is risk score calculated?
PolicyLayer runs every discovered MCP tool through a classifier that assigns a category (Read/Write/Execute/Destructive/Financial/Other) and a 1–5 severity score. Destructive and Financial tools receive the highest scores. The classifier is proprietary; its output powers this catalogue.