High-risk tools in Orgo MCP Server
9 of the 28 tools in Orgo MCP Server are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
orgo_bashExecuteExecute a bash command on the VM. Uses WebSocket terminal (preferred) with REST API fallback. Returns output plus the exit code when non-zero. Prefer this over GUI clicks for an...
-
orgo_ensure_runningExecuteEnsure a computer is running. Resumes suspended VMs automatically. Idempotent. Use before sending screen/shell actions when the VM may be suspended (cheaper than orgo_get_comput...
-
orgo_execExecuteExecute Python code on the computer. Returns output or error details. Use for computation, JSON manipulation, HTTP calls, or any task naturally expressed in Python —
-
orgo_waitExecutePause execution on the VM for a fixed duration. Useful for sequencing actions between screen updates. Use after a click/type that triggers animation or async loading, before
-
orgo_clickExecuteClick at pixel (x, y) coordinates on the VM display. Coordinates are in 1280x720 model space. Use only when GUI interaction is genuinely required — for anything scriptable, prefer
-
orgo_dragExecuteDrag from (start_x, start_y) to (end_x, end_y). Coordinates in 1280x720 model space. Use for text selection, drag-and-drop, slider manipulation — actions a click+release pair can
-
orgo_keyExecutePress a key or combo: Enter, Tab, Escape, ctrl+c, alt+Tab, ctrl+shift+s, F1-F12. Use for control keys, shortcuts, or modal dismissal —
-
orgo_scrollExecuteScroll the VM display up or down. Use to navigate long pages, lists, or chat threads in the GUI.
-
orgo_typeExecuteType text at the current cursor position on the VM. Use to enter text in a focused GUI field; for terminal/shell input prefer
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.