Critical-Risk MCP Tools

Critical severity 1,239 tools 385 servers

Critical-risk MCP tools destroy data or move money. Both actions are irreversible, and both can be completed in a single call. These tools share a policy requirement: blocked by default, enabled only with human approval and per-transaction limits.

Attacks targeting critical-risk tools

Named attack patterns where tools at this severity have produced real incidents. Each links to the full case and the defensive policy.

Browse the full MCP Attack Database →

Servers with critical-risk tools

Showing 50 of 385 servers. Each server link opens its capability-level browse; each tool opens its profile with the recommended policy.

See all tools in destructive · financial.

Other risk levels

Frequently asked questions

What makes a tool critical risk?

Critical-risk MCP tools perform irreversible operations. Destructive tools permanently delete or destroy resources. Financial tools move real money. Once called, there is no undo at the MCP layer. PolicyLayer classifies these tools together because they share the same policy recommendation: block by default, require human approval with per-transaction limits before enabling.

How should I enforce policy on critical-risk tools?

Default-deny is the baseline. Destructive operations require explicit human approval at the transport layer. Financial operations need per-transaction spending caps, daily budgets, and recipient allowlists. The Intercept policy engine supports all four primitives (deny, require_approval, spend caps, allowlists).

Which MCP servers expose critical-risk tools?

Thousands. Any server that edits state (CRMs, databases, filesystems) has destructive operations. Payment-rail servers (Stripe, crypto wallets, banking APIs) have financial operations. The risk is concentrated in the critical category, not the server.

What attacks target critical-risk tools?

Destructive action autonomy is the most-cited incident class (Amazon Kiro, Replit/SaaStr). Privilege escalation via admin-only tools, runaway tool loops, and data exfiltration via tool chaining all overlap. See the MCP Attack Database for the full catalogue with real cases and defensive policies.

How is risk score calculated?

PolicyLayer runs every discovered MCP tool through a classifier that assigns a category (Read/Write/Execute/Destructive/Financial/Other) and a 1–5 severity score. Destructive and Financial tools receive the highest scores. The classifier is proprietary; its output powers this catalogue.

Enforce policies on critical-risk tools

Scans your MCP config and generates enforcement policies for every server.

npx -y @policylayer/intercept init

github.com/policylayer/intercept →