Critical-risk tools in Mcp Server

Critical severity Mcp Server MCP Server 20 of 160 tools

20 of the 160 tools in Mcp Server are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.

Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.

Tools at critical risk

cancel_order Destructive

[orders-admin] Cancel an order (status → canceled). Optional reason stored as order comment.
clear_app_cache Destructive

[settings] Clear application cache for a specific installation. DELETE /clearAppCache/{installation_key}. Requires admin/write scope.
delete_attribute Destructive

[attributes] Delete an attribute definition by id.
delete_attribute_group Destructive

[attributes] Delete an attribute group by id.
delete_attribute_value Destructive

[attributes] Delete an attribute value by id.
delete_billing_address Destructive

[b2b] Delete a billing address by ID.
delete_brand Destructive

[catalog] Delete a brand (attribute value). Fails with 409 if products still use it unless force=true.
delete_category Destructive

[catalog] Delete a category by ID. May fail if products are still assigned.
delete_company Destructive

[customer] Delete a company by ID. CustomerHub DELETE /companies/{id}.
delete_customer Destructive

[b2b] Delete a customer by ID.
delete_order Destructive

[orders-admin] Permanently delete an order by ID.
delete_product Destructive

[catalog] Delete a product by ID.
delete_shipping_address Destructive

[b2b] Delete a shipping address by ID.
remove_cart_item Destructive

Remove a single item from a cart by cart-item ID.
remove_company_attribute Destructive

[attributes] Remove one attribute from a company.
remove_customer_attribute Destructive

[attributes] Remove one attribute from a customer.
remove_entity_attribute Destructive

[attributes] Remove one attribute from an entity by attribute_id.
remove_order_attribute Destructive

[attributes] Remove one attribute from an order.
remove_product_attribute Destructive

[attributes] Alias: remove_entity_attribute for products.
unlink_customer_from_company Destructive

[b2b] Remove a customer from their company (clears company_id).

Attacks that target this class

Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.

Critical-risk tools in Mcp Server

Tools at critical risk

Attacks that target this class

More on Mcp Server

Let agents act without letting them run wild.