High-risk tools in Mcp
12 of the 571 tools in Mcp are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
ai.councilExecuteAsk several frontier models the same question and get one synthesized consensus answer with a confidence score and points of dissent. Preset councils (fast/balanced/deep) or a c...
-
ai.screenshotExecuteTake a headless-browser screenshot of a URL. Returns base64 image + size metadata.
-
batch.runExecuteRun up to 50 endpoint calls behind ONE x402 payment. Price = exact sum of the sub-call prices (no discount). Atomic: every sub-call must succeed or nothing is charged (failures ...
-
dev.preflightExecuteCheck whether a shell command is runnable before running it — a pre-execution gate for agent-generated commands. POST command (curl/wget/httpie or anything with a URL). Parses o...
-
dev.regex-testExecuteTest a JavaScript regular expression against input text. POST { pattern, flags?, input }. Returns each match with its index, numbered capture groups, and named groups (up to 100...
-
hash.computeExecuteCompute one or more cryptographic hashes (sha256, sha512, md5, sha1, sha3, etc.) over an input.
-
pubsub.subscribeExecutePUBSUB: subscribe a callbackUrl to a topic by its topicId...
-
queue.leaseExecuteQUEUE: atomically claim up to
-
search.crawlExecuteCrawl a site and return clean page content. POST { url, limit?, maxDepth?, instructions? }. Follows links from the start URL (up to 10 pages, depth ≤2) and returns each page\
-
url.renderExecuteLike url.clean but renders the page in a real headless browser (JS executed) — for client-rendered / SPA pages where a raw fetch sees an empty shell. Same formats (markdown/text...
-
watchers.crypto-address-activityExecuteWATCHER: get a signed callback the moment a crypto address transacts. Arm once, pay once (no account, no API key) — we watch Base, Ethereum, or Bitcoin and POST your custom payl...
-
watchers.earthquakeExecuteWATCHER: get a signed callback when USGS reports a new earthquake near a location above a magnitude. Arm once, pay once. Pass lat, lon, optional radiusKm (default 500) and minMa...
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.