High-risk tools in 0nmcp
14 of the 407 tools in 0nmcp are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
api_callExecuteMake a direct API call to any connected service. For advanced use when you need fine-grained control beyond the execute tool.
-
app_buildExecuteBuild a .0n application bundle — a portable encrypted file containing endpoints, workflows, operations, automations, and connections. Deploy anywhere with: 0nmcp app run <file> ...
-
brain_buildExecuteAdd knowledge, reasoning patterns, behavior rules, or skills to a brain. Layers: knowledge — concepts, facts, rules, glossary terms reasoning — decomposition patterns, de...
-
brain_compileExecuteCompile a trained brain into a portable .brain file. The .brain file can be imported into any app on any LLM. Also generates the system prompt version for direct use. Example:...
-
brain_trainExecuteRun scenario-based training on a brain. Executes each scenario against the brain
-
crm_build_ai_workflowExecuteBuild and deploy a complete AI Workflow (Agent Studio agent) from a natural language description. Creates the agent, configures knowledge base connections, adds MCP server nodes...
-
crm_deploy_snapshotExecuteDeploy a full snapshot — pipeline, tags, custom values, and workflow definitions — in a single operation.
-
crm_execute_agentExecuteExecute an Agent Studio agent. Send a message and get a response. Use executionId to maintain conversation sessions.
-
crm_run_ai_workflowExecuteExecute an AI Workflow (Agent Studio agent). Send a message and get a response. Maintains conversation context via executionId.
-
crm_start_social_oauthExecuteStart an OAuth flow to connect a CRM-native social media provider account (Facebook, Instagram, Google, Twitter/X, LinkedIn, TikTok). NOTE: Reddit OAuth is handled separately vi...
-
executeExecuteExecute any task using connected services. The AI orchestrator automatically: 1. Parses your intent from natural language 2. Finds the best services to use 3. Creates an executi...
-
plugin_buildExecuteBuild a plugin from a service key or custom spec. If building from catalog, returns the plugin
-
plugin_executeExecuteExecute a plugin endpoint with automatic .0n field resolution. Accepts canonical .0n fields (email.0n, fullname.0n, etc.) and auto-translates to the service
-
run_workflowExecuteExecute a pre-defined .0n workflow file. Workflows are deterministic, step-by-step automations stored in ~/.0n/workflows/. Unlike the
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.