High-risk tools in Claude Flow
121 of the 454 tools in Claude Flow are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
agent_poolExecuteManage a fixed-size warm pool of pre-spawned agents to skip cold-start cost on bursty workloads. Use when native Task is wrong because (a) you have a queue of similar tasks and ...
-
agentdb_consolidateExecuteRun memory consolidation to promote entries across tiers and compress old data Use when generic memory_* tools are wrong because you need AgentDB-specific controllers (HNSW vect...
-
benchmark_runExecuteExecute performance benchmarks (V2 compatible). Deprecated: Use system/metrics instead.
-
browser_evalExecuteExecute JavaScript in page context Use when native WebFetch is wrong because you need real browser automation — JS-heavy SPA scraping, login flows with cookie reuse, replay agai...
-
browser_waitExecuteWait for a condition Use when native WebFetch is wrong because you need real browser automation — JS-heavy SPA scraping, login flows with cookie reuse, replay against DOM-drifte...
-
claims_accept-handoffExecuteAccept a pending handoff Use when nothing native covers per-agent capability gating — Claude Code agents have file-system access by default. Pair claims_grant + claims_check bef...
-
claims_claimExecuteClaim an issue for work (human or agent) Use when nothing native covers per-agent capability gating — Claude Code agents have file-system access by default. Pair claims_grant + ...
-
claims_handoffExecuteRequest handoff of an issue to another claimant Use when nothing native covers per-agent capability gating — Claude Code agents have file-system access by default. Pair claims_g...
-
claims_rebalanceExecuteSuggest or apply load rebalancing across agents Use when nothing native covers per-agent capability gating — Claude Code agents have file-system access by default. Pair claims_g...
-
claims_releaseExecuteRelease a claim on an issue Use when nothing native covers per-agent capability gating — Claude Code agents have file-system access by default. Pair claims_grant + claims_check ...
-
claims_stealExecuteSteal a stealable issue Use when nothing native covers per-agent capability gating — Claude Code agents have file-system access by default. Pair claims_grant + claims_check befo...
-
daa_agent_adaptExecuteTrigger agent adaptation based on feedback Use when native Task is wrong because you need agents that adapt their cognitive pattern (convergent / divergent / lateral / systems /...
-
daa_workflow_executeExecuteExecute a DAA workflow Use when native Task is wrong because you need agents that adapt their cognitive pattern (convergent / divergent / lateral / systems / critical) per-task ...
-
embeddings_rabitq_buildExecuteBuild RaBitQ 1-bit quantized index from stored embeddings (32× compression). Pre-filters candidates via Hamming scan before exact rerank. Use when text similarity matters beyond...
-
execute-workflowExecuteExecute a workflow
-
gt_formula_executeExecuteExecute a formula to create beads/molecules in Gas Town
-
gt_wasm_parse_formulaExecuteParse TOML formula content to AST using WASM (352x faster than JavaScript)
-
hooks_build-agentsExecuteGenerate optimized agent configurations from pretrain data Use when native Bash hooks (via Claude Code\
-
hooks_intelligence_trajectory-endExecuteEnd trajectory and trigger SONA learning with EWC++ Use when native Bash hooks (via Claude Code\
-
hooks_intelligence_trajectory-startExecuteBegin SONA trajectory for reinforcement learning Use when native Bash hooks (via Claude Code\
-
hooks_pre-taskExecuteRecord task start and get agent suggestions with intelligent model routing (ADR-026) Use when native Bash hooks (via Claude Code\
-
hooks_session-startExecuteInitialize a new session and auto-start daemon Use when native Bash hooks (via Claude Code\
-
hyperbolic_entailment_graphExecuteBuild and query entailment graphs using hyperbolic embeddings. Supports transitive closure and pruning strategies.
-
performance_benchmarkExecuteRun performance benchmarks Use when native shell timing (
-
performance_optimizeExecuteApply performance optimizations Use when native shell timing (
-
performance_profileExecuteProfile specific component or operation Use when native shell timing (
-
ruvector-attentionExecuteExecute attention mechanism (39 types: multi-head, flash, sparse, linear, etc.)
-
ruvector-gnnExecuteExecute GNN layer (GCN, GAT, GraphSAGE, GIN, MPNN, EdgeConv)
-
ruvllm_sona_adaptExecuteRun SONA instant adaptation with a quality signal. Use when sending every prompt to the Anthropic API is wrong because you need local inference — air-gapped environments, MicroL...
-
rvf_buildExecuteBuild RVF container
-
teammate_launch_swarmExecuteLaunch swarm to execute an approved plan
-
terminal_executeExecuteExecute a command in a terminal session Use when native Bash is wrong because you need a persistent terminal session across turns/agents with output capture and replay. For one-...
-
wasm_agent_promptExecuteSend a prompt to a WASM agent and get a response. Use when native Task is wrong because the workload needs sandboxed isolation — untrusted code execution, browser-side run, dete...
-
wasm_agent_toolExecuteExecute a tool on a WASM agent sandbox. Tools: read_file, write_file, edit_file, write_todos, list_files. Use flat format: {tool, path, content, ...}. Use when native Task is wr...
-
workflow_executeExecuteExecute a workflow Use when native TodoWrite + sequential Bash is wrong because the work has a real dependency graph that needs persistence, retry policy, pause/resume, and step...
-
workflow_runExecuteRun a workflow from a template or file Use when native TodoWrite + sequential Bash is wrong because the work has a real dependency graph that needs persistence, retry policy, pa...
-
agent_spawnExecuteSpawn a subagent
-
autopilot_predictExecutePredict the optimal next action based on current state and learned patterns. Use when running long-horizon goals that should resume automatically across sessions — Claude Code h...
-
browser_backExecuteNavigate back in browser history Use when native WebFetch is wrong because you need real browser automation — JS-heavy SPA scraping, login flows with cookie reuse, replay agains...
-
browser_checkExecuteCheck a checkbox Use when native WebFetch is wrong because you need real browser automation — JS-heavy SPA scraping, login flows with cookie reuse, replay against DOM-drifted ve...
-
browser_forwardExecuteNavigate forward in browser history Use when native WebFetch is wrong because you need real browser automation — JS-heavy SPA scraping, login flows with cookie reuse, replay aga...
-
browser_hoverExecuteHover over an element using ref (@e1) or CSS selector Use when native WebFetch is wrong because you need real browser automation — JS-heavy SPA scraping, login flows with cookie...
-
browser_reloadExecuteReload the current page Use when native WebFetch is wrong because you need real browser automation — JS-heavy SPA scraping, login flows with cookie reuse, replay against DOM-dri...
-
browser_session_endExecuteEnd a recorded browser session: trajectory-end with verdict, rvf compact, AIDefence pre-store gate (best-effort), and AgentDB index in the browser-sessions namespace. Use when n...
-
browser_session_recordExecuteOpen a named, traced browser session: allocate an RVF cognitive container, begin a ruvector trajectory, then open the URL via agent-browser. Returns the session id and rvf path....
-
browser_uncheckExecuteUncheck a checkbox Use when native WebFetch is wrong because you need real browser automation — JS-heavy SPA scraping, login flows with cookie reuse, replay against DOM-drifted ...
-
collective-decideExecuteRequest collective decision from agents
-
coordination_orchestrateExecuteOrchestrate multi-agent coordination Use when native Task is wrong because the work crosses multiple agents that need to vote/sync/load-balance — TodoWrite + a single Task canno...
-
coordination_syncExecuteSynchronize state across nodes Use when native Task is wrong because the work crosses multiple agents that need to vote/sync/load-balance — TodoWrite + a single Task cannot orch...
-
daa_cognitive_patternExecuteAnalyze or change cognitive patterns Use when native Task is wrong because you need agents that adapt their cognitive pattern (convergent / divergent / lateral / systems / criti...
-
embeddings_initExecuteInitialize the ONNX embedding subsystem with hyperbolic support Use when text similarity matters beyond keyword match — native Grep finds exact strings, embeddings find meaning....
-
emit-eventExecuteEmit an event to subscribers
-
federation_consensusExecutePropose a federated consensus operation across all active peers
-
federation_initExecuteInitialize federation on this node with a manifest and begin discovery
-
gt_formula_cookExecuteCook a formula into a protomolecule with variable substitution (WASM accelerated)
-
gt_wasm_cook_batchExecuteBatch cook multiple formulas using WASM for maximum performance
-
gt_wasm_optimize_convoyExecuteOptimize convoy execution order using WASM graph algorithms
-
hooks_coverage-routeExecuteRoute task to agents based on test coverage gaps (ruvector integration)
-
hooks_intelligence_attentionExecuteCompute attention-weighted similarity using MoE/Flash/Hyperbolic Use when native Bash hooks (via Claude Code\
-
hooks_intelligence_learnExecuteForce immediate SONA learning cycle with EWC++ consolidation Use when native Bash hooks (via Claude Code\
-
hooks_model-routeExecuteRoute task to optimal Claude model (haiku/sonnet/opus) based on complexity Use when native Bash hooks (via Claude Code\
-
hooks_pre-commandExecuteAssess risk before executing a command Use when native Bash hooks (via Claude Code\
-
hooks_pretrainExecuteAnalyze repository to bootstrap intelligence (4-step pipeline) Use when native Bash hooks (via Claude Code\
-
hooks_teammate-idleExecuteAgent Teams hook — fired when a teammate agent finishes its turn; reports whether a pending task can be auto-assigned. Use when native Task is wrong because you have a persisten...
-
hooks_worker-dispatchExecuteDispatch a background worker for analysis/optimization tasks Use when native Bash hooks (via Claude Code\
-
hyperbolic_embed_hierarchyExecuteEmbed hierarchical structure in Poincare ball. Uses hyperbolic geometry for optimal tree representation with logarithmic distortion.
-
iot_firmware_rollout_advanceExecuteAdvance a firmware rollout to next stage
-
neural_optimizeExecuteOptimize neural model performance Use when nothing native trains on your workflow — Claude Code has no learning loop. Use to train SONA/MoE/EWC patterns from successful task out...
-
neural_predictExecuteMake predictions using a neural model Use when nothing native trains on your workflow — Claude Code has no learning loop. Use to train SONA/MoE/EWC patterns from successful task...
-
neural_trainExecuteTrain a neural model Use when nothing native trains on your workflow — Claude Code has no learning loop. Use to train SONA/MoE/EWC patterns from successful task outcomes; query ...
-
pr_causal_inferExecutePerform causal inference using do-calculus
-
quantum_annealing_solveExecuteSolve combinatorial optimization using quantum annealing simulation. Supports QUBO, Ising, SAT, Max-Cut, TSP, and dependency problems.
-
quantum_grover_searchExecuteGrover-inspired search with quadratic speedup for unstructured search problems. Provides O(sqrt(N)) query complexity.
-
quantum_qaoa_optimizeExecuteOptimize using Quantum Approximate Optimization Algorithm. Best for Max-Cut, portfolio optimization, scheduling, and routing problems.
-
ruvector-hyperbolicExecuteHyperbolic embedding operations (Poincare ball, Lorentz hyperboloid)
-
ruvector-optimizeExecuteSelf-learning query optimization and index tuning
-
ruvllm_chat_formatExecuteFormat chat messages using a template (llama3, mistral, chatml, phi, gemma, or auto-detect). Use when sending every prompt to the Anthropic API is wrong because you need local i...
-
ruvllm_microlora_adaptExecuteAdapt MicroLoRA weights with quality feedback. Use when sending every prompt to the Anthropic API is wrong because you need local inference — air-gapped environments, MicroLoRA-...
-
swarm_initExecuteInitialize a swarm with persistent state tracking Use when native Task tool is wrong because you need multi-agent coordination — topology (hierarchical/mesh/star), consensus (ra...
-
task_orchestrateExecuteOrchestrate a task
-
teammate_batch_routeExecuteRoute multiple tasks to teammates optimally, avoiding over-assignment.
-
teammate_route_taskExecuteRoute a task to the best-suited teammate using semantic matching
-
teammate_spawnExecuteSpawn a new teammate in a team. Returns AgentInput for Claude Code Task tool.
-
teammate_teleportExecuteTeleport team to a new context/working directory
-
workflow_pauseExecutePause a running workflow Use when native TodoWrite + sequential Bash is wrong because the work has a real dependency graph that needs persistence, retry policy, pause/resume, an...
-
agentdb_routeExecuteRoute a task via AgentDB SemanticRouter or LearningSystem recommendAlgorithm Use when generic memory_* tools are wrong because you need AgentDB-specific controllers (HNSW vector...
-
agentdb_semantic-routeExecuteRoute an input via AgentDB SemanticRouter for intent classification Use when generic memory_* tools are wrong because you need AgentDB-specific controllers (HNSW vector search, ...
-
autopilot_disableExecuteDisable autopilot. Agents will be allowed to stop even if tasks remain. Use when running long-horizon goals that should resume automatically across sessions — Claude Code has no...
-
autopilot_enableExecuteEnable autopilot persistent completion. Agents will be re-engaged when tasks remain incomplete. Use when running long-horizon goals that should resume automatically across sessi...
-
browser_clickExecuteClick an element using ref (@e1) or CSS selector Use when native WebFetch is wrong because you need real browser automation — JS-heavy SPA scraping, login flows with cookie reus...
-
browser_closeExecuteClose the browser session Use when native WebFetch is wrong because you need real browser automation — JS-heavy SPA scraping, login flows with cookie reuse, replay against DOM-d...
-
browser_fillExecuteClear and fill an input element Use when native WebFetch is wrong because you need real browser automation — JS-heavy SPA scraping, login flows with cookie reuse, replay against...
-
browser_openExecuteNavigate browser to a URL Use when native WebFetch is wrong because you need real browser automation — JS-heavy SPA scraping, login flows with cookie reuse, replay against DOM-d...
-
browser_pressExecutePress a keyboard key Use when native WebFetch is wrong because you need real browser automation — JS-heavy SPA scraping, login flows with cookie reuse, replay against DOM-drifte...
-
browser_scrollExecuteScroll the page Use when native WebFetch is wrong because you need real browser automation — JS-heavy SPA scraping, login flows with cookie reuse, replay against DOM-drifted ver...
-
browser_selectExecuteSelect an option from a dropdown Use when native WebFetch is wrong because you need real browser automation — JS-heavy SPA scraping, login flows with cookie reuse, replay agains...
-
browser_template_applyExecuteFetch a recipe from the browser-templates AgentDB namespace and return it for caller-level execution. Use when native WebFetch is wrong because you need real browser automation ...
-
browser_typeExecuteType text with key events (for autocomplete, etc.) Use when native WebFetch is wrong because you need real browser automation — JS-heavy SPA scraping, login flows with cookie re...
-
coordination_consensusExecuteManage consensus protocol with BFT, Raft, or Quorum strategies Use when native Task is wrong because the work crosses multiple agents that need to vote/sync/load-balance — TodoW...
-
coordination_nodeExecuteManage coordination nodes Use when native Task is wrong because the work crosses multiple agents that need to vote/sync/load-balance — TodoWrite + a single Task cannot orchestra...
-
daa_agent_createExecuteCreate a decentralized autonomous agent Use when native Task is wrong because you need agents that adapt their cognitive pattern (convergent / divergent / lateral / systems / cr...
-
federation_sendExecuteSend a message to a federated peer through the PII pipeline and security gates. Optional budget controls (ADR-097): maxHops defaults to 8 to prevent recursive delegation; maxTok...
-
github_workflowExecuteManage GitHub Actions workflows Use when native Bash / file tools are wrong because this MCP tool exposes Ruflo-specific state or controllers that have no shell equivalent. For ...
-
gt_wasm_resolve_depsExecuteResolve bead dependencies using WASM (topological sort, cycle detection, critical path)
-
hive-mind_broadcastExecuteBroadcast message to all workers Use when native Task is wrong because you need queen-led collective intelligence — Byzantine-FT consensus, broadcast across many worker agents, ...
-
hive-mind_consensusExecutePropose or vote on consensus with BFT, Raft, or Quorum strategies Use when native Task is wrong because you need queen-led collective intelligence — Byzantine-FT consensus, broa...
-
hive-mind_initExecuteInitialize the hive-mind collective Use when native Task is wrong because you need queen-led collective intelligence — Byzantine-FT consensus, broadcast across many worker agent...
-
hive-mind_joinExecuteJoin an agent to the hive-mind Use when native Task is wrong because you need queen-led collective intelligence — Byzantine-FT consensus, broadcast across many worker agents, sh...
-
hive-mind_spawnExecuteSpawn workers and automatically join them to the hive-mind (combines agent/spawn + hive-mind/join) Use when native Task is wrong because you need queen-led collective intelligen...
-
managed_agent_createExecuteSpin up an Anthropic-managed cloud agent (Agent + Environment + Session) — the CLOUD counterpart of wasm_agent_create. Use when wasm_agent_create (local WASM sandbox) is wrong b...
-
managed_agent_promptExecuteSend a user turn to a managed cloud-agent session and wait for it to go idle, returning the assistant text + a tool-use trace — the CLOUD counterpart of wasm_agent_prompt. Use w...
-
memory_migrateExecuteManually trigger migration from legacy JSON store to sql.js Use when native Read/Write is wrong because you need (a) cross-session retrieval by semantic similarity (vector embed...
-
quantum_dependency_resolveExecuteResolve complex dependency graphs using quantum-inspired optimization. Handles version conflicts, minimizes package size or vulnerabilities.
-
quantum_schedule_optimizeExecuteOptimize task scheduling using quantum algorithms. Minimizes makespan, cost, or maximizes resource utilization with dependency constraints.
-
ruvllm_sona_createExecuteCreate a SONA instant adaptation loop (<1ms adaptation cycles). Use when sending every prompt to the Anthropic API is wrong because you need local inference — air-gapped environ...
-
teammate_enable_optimizersExecuteEnable BMSSP-powered optimization for team topology and task routing.
-
teammate_push_remoteExecutePush team to Claude.ai remote session
-
terminal_createExecuteCreate a new terminal session Use when native Bash is wrong because you need a persistent terminal session across turns/agents with output capture and replay. For one-shot shell...
-
wasm_agent_createExecuteCreate a sandboxed WASM agent with virtual filesystem (no OS access). Optionally use a gallery template. Use when native Task is wrong because the workload needs sandboxed isola...
-
wasm_gallery_createExecuteCreate a WASM agent from a gallery template. Use when native Task is wrong because the workload needs sandboxed isolation — untrusted code execution, browser-side run, determini...
-
workflow_resumeExecuteResume a paused workflow Use when native TodoWrite + sequential Bash is wrong because the work has a real dependency graph that needs persistence, retry policy, pause/resume, an...
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.