Critical-risk tools in Claude Flow
28 of the 454 tools in Claude Flow are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
agentdb_batchDestructiveBatch operations on AgentDB episodes (insert, update, delete). Note: entries are stored in the AgentDB episodes table, not the memory_search namespace. Use memory_store for entr...
-
agentdb_causal-edge-deleteDestructiveDelete a causal edge between two memory entries. Returns controller=
-
agentdb_causal-node-deleteDestructiveCascade-delete a causal node and all its incident edges from the SQL fallback. Native graph-node entries are unaffected (no delete API in the binding). Use when generic memory_*...
-
agentdb_hierarchical-deleteDestructiveDelete a hierarchical-memory entry by key. Returns controller=
-
autopilot_resetDestructiveReset autopilot iteration counter and restart the timer. Use when running long-horizon goals that should resume automatically across sessions — Claude Code has no native autonom...
-
config_resetDestructiveReset configuration to defaults Use when native settings.json edits are wrong because the values need to be read by the Ruflo runtime (daemon, MCP server, neural router) — those...
-
hooks_intelligence-resetDestructiveReset intelligence learning state Use when native Bash hooks (via Claude Code\
-
hooks_worker-cancelDestructiveCancel a running worker Use when native Bash hooks (via Claude Code\
-
iot_device_removeDestructiveRemove a registered device
-
iot_fleet_deleteDestructiveDelete a fleet
-
iot_fleet_remove_deviceDestructiveRemove a device from a fleet
-
memory_deleteDestructiveRemove a stored memory entry by exact (namespace, key). Use when a previously stored decision is invalidated or contains stale data. No native equivalent — Write to a file does ...
-
ruvector_deleteDestructiveDelete vectors by ID.
-
session_deleteDestructiveDelete a saved session Use when native conversation memory is wrong because you need durable cross-session state — restoring agent definitions, swarm topology, memory store, bre...
-
system_resetDestructiveReset system state Use when native Bash is wrong because you need Ruflo runtime metrics (HNSW index size, ReasoningBank state, swarm health, breaker status) — those are not in /...
-
task_cancelDestructiveCancel a task Use when native TodoWrite is wrong because you need cross-session task persistence, agent assignment, dependency tracking, or completion analytics in the .swarm/me...
-
wasm_agent_resetDestructiveReset a WASM agent — clears messages and turn count so it can be reused across tasks. Use when native Task is wrong because the agent lives in a sandboxed WASM runtime that must...
-
wasm_gallery_remove_customDestructiveRemove a custom template from the WASM gallery by ID. Use when native Bash rm is wrong because custom templates exist only inside the WASM runtime registry and cannot be deleted...
-
workflow_cancelDestructiveCancel a workflow Use when native TodoWrite + sequential Bash is wrong because the work has a real dependency graph that needs persistence, retry policy, pause/resume, and step-...
-
workflow_deleteDestructiveDelete a workflow Use when native TodoWrite + sequential Bash is wrong because the work has a real dependency graph that needs persistence, retry policy, pause/resume, and step-...
-
hooks_transferFinancialTransfer learned patterns from another project Use when native Bash hooks (via Claude Code\
-
transfer_ipfs-resolveFinancialResolve IPNS name to CID Use when native package install (
-
federation_report_spendFinancialADR-097 Phase 3 upstream: report the actual cost of a completed federated call. Fans out to the cost-tracker bus (via the integrator-wired SpendReporter) and the breaker service...
-
iot_firmware_rollout_rollbackDestructiveForce rollback a firmware rollout
-
agent_terminateDestructiveRemove a Ruflo-tracked agent from the registry and free its swarm slot. Use when you need to (a) clean up a spawned agent so its cost-tracking row finalizes, (b) reclaim a swarm...
-
federation_wg_keyrotateDestructiveADR-111 Phase 6: rotate the local WG keypair. Returns the new public key + recommended next steps (republish manifest, peers regenerate their wg-quick config, grace-period destr...
-
managed_agent_terminateDestructiveDelete a managed cloud-agent session (stops billing for it) — the CLOUD counterpart of wasm_agent_terminate. Use when native nothing applies because a cloud session keeps billin...
-
teammate_cleanupDestructiveCleanup team resources and save state
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.