Critical-risk tools in TrekMail MCP Server
40 of the 216 tools in TrekMail MCP Server are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
bulk_actionDestructivePerform an action on up to 50 messages at once. Actions: read, unread, star, unstar, delete, move, spam, notspam. The
-
cancel_bulk_migrationDestructiveCancel an active bulk migration batch. All queued and running jobs will be stopped. Set confirm_cancel=true to proceed.
-
cancel_migrationDestructiveCancel a running email migration. Set confirm_cancel=true to proceed.
-
cancel_scheduledDestructiveCancel a pending scheduled message. Requires TREKMAIL_ALLOW_DESTRUCTIVE=true.
-
change_mailbox_passwordDestructiveChange the password of a mailbox. Requires TREKMAIL_ALLOW_DESTRUCTIVE=true because password changes are irreversible.
-
confirm_delete_intentDestructiveConfirm a delete intent to permanently delete a mailbox. This is step 2 of the two-step deletion process. IRREVERSIBLE — the mailbox and all its data will be permanently destroy...
-
create_delete_intentDestructiveCreate a delete intent for a mailbox. This is step 1 of the two-step deletion process. Returns an intent with a confirmation token that expires in 5 minutes. The intent must be ...
-
delete_aliasDestructivePermanently remove an email alias from a mailbox. Mail sent to this address will no longer be delivered. This cannot be undone.
-
delete_bulk_migrationDestructiveDelete a completed, failed, or cancelled bulk migration batch record. Cannot delete active batches. Both TREKMAIL_ALLOW_MIGRATION=true and confirm_delete=true are required.
-
delete_calendar_eventDestructiveDelete a calendar event. Requires TREKMAIL_ALLOW_DESTRUCTIVE=true.
-
delete_cloudflare_tokenDestructiveDelete a saved Cloudflare token and disconnect all domains using it. Domains remain in TrekMail but lose their Cloudflare connection.
-
delete_contactDestructiveDelete a contact. Requires TREKMAIL_ALLOW_DESTRUCTIVE=true.
-
delete_contact_groupDestructiveDelete a contact group. Requires TREKMAIL_ALLOW_DESTRUCTIVE=true.
-
delete_domainDestructivePermanently delete a domain and all its mailboxes. This action is irreversible. Requires TREKMAIL_ALLOW_DESTRUCTIVE=true.
-
delete_domain_smtp_profileDestructiveDelete a saved SMTP profile. Domains using it are reassigned automatically (to managed SMTP on paid plans, otherwise not_configured). Requires TREKMAIL_ALLOW_DESTRUCTIVE=true.
-
delete_folderDestructiveDelete an IMAP folder and all its contents. Special folders cannot be deleted. Requires TREKMAIL_ALLOW_DESTRUCTIVE=true.
-
delete_identityDestructiveDelete an identity. Cannot delete the default identity. Requires TREKMAIL_ALLOW_DESTRUCTIVE=true.
-
delete_mail_ruleDestructiveDelete a mail filter. This is irreversible. Requires TREKMAIL_ALLOW_DESTRUCTIVE=true.
-
delete_messageDestructivePermanently delete a message by IMAP UID. This marks the message as \\Deleted and expunges it. Requires TREKMAIL_ALLOW_DESTRUCTIVE=true.
-
delete_migrationDestructiveDelete a completed, failed, or cancelled migration record. Cannot delete running migrations. Both TREKMAIL_ALLOW_MIGRATION=true and confirm_delete=true are required.
-
delete_smtp_connectionDestructiveDelete a custom SMTP connection. Requires TREKMAIL_ALLOW_DESTRUCTIVE=true.
-
delete_templateDestructiveDelete an email template. Requires TREKMAIL_ALLOW_DESTRUCTIVE=true.
-
drive_bulk_purgeDestructiveDESTRUCTIVE. Hard-delete N TRASHED items. Items not currently in trash are silently skipped. Requires drive:*:purge scope AND TREKMAIL_ALLOW_DESTRUCTIVE=true.
-
drive_bulk_trashDestructiveSoft-delete N items in one call. Caps at 5000 items per request.
-
drive_device_revokeDestructivePermanently revoke a Drive sync-device password. The sync client using it will lose access on its next request (no grace). Idempotent: revoking an already-revoked row is a no-op...
-
drive_file_purgeDestructiveDESTRUCTIVE. Permanently delete a TRASHED file. Bypasses the trash safety net. Requires drive:*:purge scope AND TREKMAIL_ALLOW_DESTRUCTIVE=true.
-
drive_file_trashDestructiveSoft-delete: file moves to trash and active share-links are revoked.
-
drive_folder_purgeDestructiveDESTRUCTIVE. Hard-delete a TRASHED folder + its entire subtree. B2 cleanup runs async. Requires drive:*:purge scope AND TREKMAIL_ALLOW_DESTRUCTIVE=true.
-
drive_folder_trashDestructiveSoft-delete folder + entire subtree (cascade). Active share-links on contained files are revoked.
-
drive_share_revokeDestructiveRevoke a share-link by id. Idempotent — second call no-ops.
-
drive_trash_emptyDestructiveDESTRUCTIVE. Permanently delete every trashed file + folder in the space. Requires drive:*:purge scope AND TREKMAIL_ALLOW_DESTRUCTIVE=true.
-
empty_folderDestructiveDelete all messages in Trash or Junk folder. Only these two folders can be emptied. Requires TREKMAIL_ALLOW_DESTRUCTIVE=true.
-
remove_contact_group_membersDestructiveRemove one or more contacts from a group.
-
remove_domain_brand_logoDestructiveRemove a brand asset (slot=light/dark/favicon) from a domain
-
remove_domain_brandingDestructiveTurn off White Label branding. scope=domain (default) turns it off for this domain only; scope=all turns it off for EVERY domain in the account — branded URLs stop serving. Save...
-
remove_shared_mailbox_memberDestructiveRemove a member from a shared (team) mailbox. Pass the membership row id (the
-
revoke_message_tokenDestructiveRevoke a message API token. The token will no longer be usable for message operations. This action cannot be undone.
-
unblock_senderDestructiveRemove a sender from the blocked list. Requires TREKMAIL_ALLOW_DESTRUCTIVE=true.
-
verify_cancel_jobDestructiveCancel a running verification job. Unprocessed credits are automatically refunded.
-
verify_delete_jobDestructivePermanently delete a verification job and all its results. Cannot be undone. Job must be completed or cancelled first.
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.