High-risk tools in Stable Baseline
9 of the 184 tools in Stable Baseline are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
designWhiteboardExecuteDesign a complete, visually polished whiteboard from a natural-language goal using the PREMIUM multi-agent pipeline (the same one the in-app assistant uses): it browses the sten...
-
duplicateWhiteboardElementsExecuteCopy-paste existing whiteboard elements — the MCP equivalent of selecting a group and pressing Ctrl/Cmd+D. Clones the given elements (plus their group peers + bound text/labels)...
-
previewTaskDependencyCascadeExecuteDry-run of `applyTaskDependencyCascade` — returns the diff without writing. Empty items array means the plan is already consistent. Accepts the same `pinnedItemIds` and `forward...
-
purchaseCreditPackageExecuteApply a credit-package quote by creating a hosted Stripe Checkout session. Returns checkout_url + session_id. Refuses if catalogued price has drifted. Rate limit 5/h. Use only A...
-
quoteCreditPackageExecuteQuote a credit-package purchase (first half of the human-in-the-loop ritual). Returns quote_token (10-min TTL) plus package + total_aud. Caller must invoke purchaseCreditPackage...
-
renderDiagramExecuteGenerate a diagram from its DSL/code and get the IMAGE back — WITHOUT inserting it into any document or whiteboard. For acting as a pure diagram generator. Provide diagramType (...
-
resendInvitationExecuteResend a pending invitation: extends expires_at by 7 days and re-triggers the invitation email. Server resolves the organisation_id from the invitation row. Rate limit 6/h per i...
-
startSignupExecuteBegin an agent-driven sign-up to Stable Baseline. Anonymous-callable. Returns a `verification_url` and a 6-character `user_code` that the agent must show to the user. The user o...
-
triggerKgRebuildExecuteApply a previously previewed KG rebuild. Dispatches the build batch via kg-rebuild and returns batch_id. Rate limit 5/h.
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.