High-risk tools in Leapfrog
5 of the 37 tools in Leapfrog are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
batch_actionsExecute 3/5Execute multiple browser actions sequentially in a single MCP call. Eliminates round-trip overhead for humanization sequences (e.g. Bezier mouse paths, typed text with delays). ...
-
executeExecute 4/5Run a Playwright script with access to { page, context }. One tool call replaces 5-20 sequential MCP round trips. Use for complex flows with conditional logic, loops, error hand...
-
navigateExecute 3/5Navigate to a URL and return a compact accessibility snapshot with @eN refs. Refs like @e1, @e2 can be passed directly to the 'act' tool — no CSS selectors needed. Snapshots are...
-
wait_forExecute 4/5Wait for a condition before proceeding. Supports: element visible, text appears, network idle, URL navigation, JS expression truthy. Returns a fresh snapshot after the wait comp...
-
wait_for_humanExecute 3/5Pause and request human intervention. Shows the @..@ overlay with your reason. Use when you encounter a CAPTCHA, login wall, or any situation requiring human action. The tool bl...
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.
More on Leapfrog
Enforce policy on Leapfrog
One command generates a policy scaffold for every server in your MCP config.
npx -y @policylayer/intercept init