Critical-risk tools in Threejs Devtools

Critical severity Threejs Devtools MCP Server 5 of 60 tools

5 of the 60 tools in Threejs Devtools are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.

Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.

Tools at critical risk

bounding_boxes Destructive 4/5

Show/hide axis-aligned bounding boxes for scene objects. Runtime only — for debugging frustum culling and object bounds. Debug only — page reload will reset. No code changes ne...
highlight_object Destructive 4/5

Highlight an object for debugging (wireframe or visibility toggle). Runtime only — for visual inspection, not persisted. Debug only — page reload will reset. No code changes ne...
remove_helper Destructive 4/5

Remove a previously added debug helper Debug only — page reload will reset. No code changes needed.
toggle_overlay Destructive 4/5

Toggle a lightweight scene inspector overlay in the browser. Shows real-time FPS, draw calls, triangles, object count, scene tree, materials, and lights. Click objects in the tr...
toggle_wireframe Destructive 4/5

Toggle wireframe on all materials or a specific object. Runtime only — for visual debugging. Debug only — page reload will reset. No code changes needed.

Attacks that target this class

Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.

Destructive Action Autonomy
Privilege escalation via admin-only tools
Data exfiltration via tool chaining
Runaway Tool Loops

Critical-risk tools in Threejs Devtools

Tools at critical risk

Attacks that target this class

More on Threejs Devtools

Enforce policy on Threejs Devtools