High-risk tools in Persistent Terminal MCP Server
6 of the 10 tools in Persistent Terminal MCP Server are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
create_terminalExecuteCreate a new persistent terminal session
-
create_terminal_basicExecuteCreate a new persistent terminal session (shell and cwd only). Useful for clients that cannot send env objects.
-
fix_bug_with_codexExecuteUse OpenAI Codex CLI to automatically fix bugs with FULL SYSTEM ACCESS. WARNING CRITICAL: This tool gives Codex COMPLETE control over the codebase! - Sandbox: danger-full-acces...
-
open_terminal_uiExecuteOpen a web-based terminal management UI in the browser. This provides a visual interface to manage all terminal sessions.
-
wait_for_outputExecuteWait for terminal output to stabilize. Useful after running commands to ensure all output is captured.
-
write_terminalExecuteWrite input to a terminal session. Commands add a newline by default, but you can disable that for raw control sequences.
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.