Critical-risk tools in Mcp Socialapi
12 of the 75 tools in Mcp Socialapi are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
social_api_delete_brandDestructiveDelete a brand and disconnect all its connected social accounts. This is irreversible.
-
social_api_delete_commentDestructivePermanently delete a comment from the platform and remove it from the inbox database. This action is irreversible. Supported on Instagram, Facebook, and YouTube.
-
social_api_delete_meDestructivePermanently delete the authenticated user account and ALL associated data including API keys, connected social accounts, usage logs, webhook endpoints, and OAuth consents. This ...
-
social_api_delete_mediaDestructivePermanently delete a media file from the media library and object storage. This is irreversible. If the media is referenced by any post, the post will lose that attachment. Use ...
-
social_api_delete_postDestructiveDelete a published post from the social media platform, or cancel a scheduled/failed post before it is published. For published posts, this removes the post from the platform (i...
-
social_api_delete_review_replyDestructiveDelete a business reply to a review. Requires account_id and the platform review_id. Supported on Google Business. Returns 501 for platforms that do not support deleting review ...
-
social_api_delete_webhookDestructivePermanently delete a webhook endpoint. Future events will no longer be delivered to this URL. Any in-flight deliveries may still complete. This is irreversible. Use social_api_l...
-
social_api_disconnect_accountDestructiveDisconnect a connected social media account. Removes the stored OAuth tokens and disassociates the account from the user. Any scheduled posts targeting this account will fail on...
-
social_api_moderate_commentDestructiveModerate a comment by hiding, unhiding, or deleting it. The interaction_id must be a comment ID starting with sapi_cmt_. Actions: 'hide' removes from public view (reversible), '...
-
social_api_revoke_inviteDestructiveRevoke an active platform invite, making the invite URL immediately invalid. This is irreversible. Use social_api_list_invites to find the invite_id.
-
social_api_revoke_keyDestructivePermanently deactivate an API key. This is irreversible -- the key immediately stops working for all API requests. Use social_api_list_keys to find the key_id. Revoking an alrea...
-
social_api_unpublish_postDestructiveUnpublish a post from one or all platforms. Removes the post from the social media platform but keeps the post record in SocialAPI. Optionally specify account_id to unpublish fr...
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.