High-risk tools in ServiceNow MCP Server
7 of the 116 tools in ServiceNow MCP Server are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
aggregateExecuteRun aggregate queries (count, sum, avg, etc.)
-
auth_browserExecuteLaunch browser for SSO authentication. Opens a browser window where you can log in with your enterprise SSO credentials. Cookies are captured and saved for subsequent API calls....
-
auth_refreshExecuteRefresh the current session by re-authenticating via browser. Uses the previously authenticated instance URL. Useful when session has expired.
-
batch_requestExecuteExecute multiple API requests in a single call
-
event_createExecuteCreate/fire a system event
-
scheduled_job_runExecuteExecute a scheduled job immediately
-
table_queryExecuteGeneric table query - query any ServiceNow table
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.