Critical-risk tools in Test
11 of the 202 tools in Test are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
cleanDestructiveRuns dotnet clean to remove build outputs and returns structured results.
-
removeDestructiveRuns
-
resetDestructiveResets the current HEAD to a specified state. Supports soft, mixed, hard, merge, and keep modes. The
-
secret-deleteDestructiveDeletes a repository, organization, or environment GitHub Actions secret.
-
tagDestructiveManages git tags. Supports list (default), create, and delete actions. List returns structured tag data with name, date, and message. Create supports lightweight and annotated t...
-
variable-deleteDestructiveDeletes a repository, organization, or environment GitHub Actions variable.
-
workspaceDestructiveManages Terraform workspaces: list, select, create, or delete workspaces.
-
package-cleanDestructiveCleans Swift package build artifacts and returns structured result.
-
branchDestructiveLists, creates, renames, or deletes branches. Returns structured branch data. Pass
-
stashDestructivePushes, pops, applies, drops, shows, or clears stash entries. Returns structured result with action, success, message, and stash reference.
-
worktreeDestructiveLists, adds, removes, locks, unlocks, or prunes git worktrees for managing multiple working trees. Returns structured data with worktree paths, branches, and HEAD commits.
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.