Critical-risk tools in Mcp Mailtrap
14 of the 86 tools in Mcp Mailtrap are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
clean-sandbox-inboxDestructiveDelete all messages from a sandbox inbox without deleting the inbox itself
-
delete-api-tokenDestructivePermanently delete an API token by ID. The token can no longer authenticate after deletion.
-
delete-contactDestructivePermanently delete a contact by ID or email. Returns the deleted contact record when available.
-
delete-contact-fieldDestructivePermanently delete a contact field definition by ID.
-
delete-contact-listDestructivePermanently delete a contact list by ID.
-
delete-sandbox-inboxDestructiveDelete a sandbox inbox and all its messages
-
delete-sandbox-messageDestructiveDelete a single sandbox message
-
delete-sandbox-projectDestructiveDelete a sandbox project and all its inboxes
-
delete-sending-domainDestructiveDelete a sending domain
-
delete-suppressionDestructiveDelete a suppression by ID. Mailtrap will resume delivery to this email unless it gets suppressed again.
-
delete-templateDestructiveDelete an existing email template
-
delete-webhookDestructivePermanently delete a webhook by ID. Returns the deleted webhook record.
-
remove-account-accessDestructiveRemove an account access by ID. For User specifiers this revokes permissions; for Invite or ApiToken specifiers it removes the specifier itself. Requires admin/owner.
-
reset-api-tokenDestructiveReset (rotate) an API token by ID. The response includes the **new** secret
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.