High-risk tools in AWS Bedrock AgentCore MCP Server
16 of the 122 tools in AWS Bedrock AgentCore MCP Server are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
browser_evaluateExecuteExecute a JavaScript expression in the page context. The expression is evaluated in the browser and its return value is serialized to JSON. Use this for extracting data, readin...
-
browser_navigateExecuteNavigate to a URL in the browser. Loads the specified URL and returns an accessibility tree snapshot of the loaded page. Use the element refs in the snapshot for subsequent int...
-
browser_navigate_backExecuteNavigate back in browser history. Returns an accessibility tree snapshot of the previous page.
-
browser_navigate_forwardExecuteNavigate forward in browser history. Returns an accessibility tree snapshot of the next page.
-
browser_wait_forExecuteWait for text to appear or an element to become visible. Provide either text or selector. Returns the page snapshot after the condition is met. Raises an error if the timeout i...
-
execute_codeExecuteExecute code in a sandboxed code interpreter session. Runs Python, JavaScript, or TypeScript code in the session's sandbox. The execution context (variables, imports) persists ...
-
execute_commandExecuteExecute a shell command in a sandboxed code interpreter session. Runs a shell command in the session's sandbox environment. Args: ctx: MCP context for error signaling and ...
-
gateway_target_synchronizeExecuteExplicitly synchronize gateway targets with their upstream tool catalog. COST WARNING: Synchronization calls the MCP server's tools/list endpoint and re-indexes the tool catalo...
-
invoke_agent_runtimeExecuteInvoke an agent hosted in AgentCore Runtime. Sends a request to the agent and returns the response. Each invocation uses or creates a microVM session identified by runtime_sess...
-
memory_start_extraction_jobExecuteStart (or restart) a memory extraction job. COST WARNING: Extraction jobs consume compute resources to process events and produce memory records. This incurs AWS charges. Typi...
-
policy_generation_startExecuteStart an AI-powered Cedar policy generation from natural language. COST WARNING: Policy generation invokes foundation models and consumes significant compute resources. This is...
-
start_browser_sessionExecuteStart a cloud browser session via Amazon Bedrock AgentCore. Creates an isolated browser session running in a Firecracker microVM. Returns the session ID and automation stream U...
-
start_code_interpreter_sessionExecuteStart a new sandboxed code interpreter session. Creates a new session that can execute code, run commands, and manage files in an isolated environment. The session remains acti...
-
stop_browser_sessionExecuteStop a browser session and release resources. Terminates the browser session and its underlying microVM. The session cannot be resumed after stopping.
-
stop_code_interpreter_sessionExecuteStop a running code interpreter session and release its resources. Args: ctx: MCP context for error signaling and progress updates. session_id: The session ID to stop. ...
-
stop_runtime_sessionExecuteStop a running runtime session to release its microVM. Use this to terminate sessions early and **save costs** instead of waiting for the idle timeout (default 15 minutes). Thi...
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.