High-risk tools in Serac
54 of the 432 tools in Serac are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
enterprise_tool_executeExecuteExecute an enterprise tool by name. Use enterprise_tool_search first to discover available tools.
-
snow_auto_resolve_incidentExecuteAttempts automated resolution of technical incidents based on known patterns and previous solutions. Includes dry-run mode for safety.
-
snow_automate_threat_responseExecuteExecute a tiered incident response playbook (contain / isolate / eradicate / recover) for a known threat ID. Either runs the action set automatically and notifies the listed gro...
-
snow_batch_requestExecuteSend multiple REST calls in a single round-trip via /api/now/v1/batch. Each entry has method, url, and body — replies come back in order under a generated batch ID. Cuts overhea...
-
snow_change_manageExecuteUnified change management (create, update_state, approve, create_task, schedule_cab)
-
snow_cicd_deployExecuteTrigger CI/CD deployment pipeline
-
snow_collect_metricExecuteSample a defined metric on-demand: runs the platform MetricBaseCollector against a metric_definition sys_id to write a fresh measurement point. Companion to snow_create_metric.
-
snow_confirm_script_executionExecute⚡ Confirms and schedules script after user approval (use after snow_execute_script with requireConfirmation=true). Note: Uses same scheduled job approach.
-
snow_convert_es6_to_es5ExecuteConvert ES6+ JavaScript to ES5 for ServiceNow compatibility. Use this when debugging SyntaxErrors.
-
snow_convert_to_es5ExecuteConvert modern JavaScript (ES6+) to ES5 for ServiceNow Rhino engine
-
snow_create_mobile_actionExecuteCreates a mobile action that users can trigger from the mobile app. Actions can navigate, execute scripts, or open forms.
-
snow_create_vulnerability_scanExecuteCreates vulnerability scanning configurations. Schedules scans, sets severity thresholds, and enables auto-remediation.
-
snow_custom_apiExecuteMake an arbitrary REST call to any ServiceNow endpoint with the chosen method (GET/POST/PUT/PATCH/DELETE), path, query params, and JSON body. Escape hatch for endpoints that don
-
snow_elevate_roleExecuteExecute a server-side operation that requires elevated privileges (security_admin scope — ACL modifications, high-security properties, etc.). ALWAYS returns a confirmation promp...
-
snow_employee_offboardingExecuteInitiate employee offboarding workflow
-
snow_employee_onboardingExecuteTrigger employee onboarding workflow
-
snow_execute_atf_testExecuteExecutes an ATF test or test suite and returns the results. Tests run asynchronously in ServiceNow using sys_atf_test_result table.
-
snow_execute_scriptExecuteExecute server-side JavaScript on ServiceNow. Primary: synchronous execution via Scripted REST API (~1-3s). Fallback: scheduled job if endpoint unavailable. Auto-deploys the exe...
-
snow_execute_security_playbookExecuteExecute automated security response playbook with orchestrated actions
-
snow_execute_transformExecuteExecute transform map on import set
-
snow_fluent_buildExecuteBuild a local ServiceNow Fluent (SDK) project with now-sdk build. Compiles .now.ts Fluent sources + metadata XML
-
snow_fluent_installExecuteDeploy a built ServiceNow Fluent (SDK) project to the connected instance with now-sdk install. Build first with
-
snow_fluent_transformExecuteConvert ServiceNow app metadata XML into Fluent (SDK) TypeScript code with now-sdk transform. Use after snow_fluent_init
-
snow_github_deployExecuteDeploy files directly from GitHub to ServiceNow — content never passes through LLM context. Three modes: 1. Single file: source_path → one artifact field 2. Directory → Widget:...
-
snow_graphql_queryExecuteRun a GraphQL query against /api/now/graphql with optional variables. Use when you need to fetch nested data across tables in one round-trip; for simple list/get on a single tab...
-
snow_handoff_to_agentExecuteInitiates handoff from Virtual Agent to a live agent when automated assistance is insufficient.
-
snow_hash_stringExecuteHash string using various algorithms
-
snow_install_applicationExecuteInstall application from store
-
snow_install_spokeExecuteInstall and manage IntegrationHub Spokes (Jira, Slack, Azure DevOps, etc.)
-
snow_manage_spoke_connectionExecuteManage IntegrationHub spoke connections: configure, test, and troubleshoot
-
snow_ml_predictExecuteMake ML prediction using trained model
-
snow_orchestrate_developmentExecuteOrchestrates complex development workflows with intelligent agent coordination, shared memory, and real-time progress tracking.
-
snow_redeploy_script_endpointExecuteForce-redeploy the Serac scripted REST executor endpoint (/api/snow_flow_exec/execute). Use when snow_execute_script / UI policy tools fail with
-
snow_report_manageExecuteUnified tool for ServiceNow report lifecycle beyond creation: list, get, run, schedule, share, and export. Wraps sys_report, sysauto_report, and sys_report_users_groups. Action...
-
snow_rest_message_manageExecuteUniversal REST Message management tool. CRUD operations for: • REST Messages (list, get, create, update, delete) • HTTP Methods (list_methods, get_method, create_method, update_...
-
snow_rest_message_test_suiteExecuteComprehensive testing suite for REST messages including authentication, endpoints, headers, and response validation.
-
snow_retry_operationExecuteRetry failed operation with backoff
-
snow_run_compliance_scanExecuteRun compliance scans against security frameworks (SOX, GDPR, HIPAA, PCI-DSS)
-
snow_run_discoveryExecuteQueue a CMDB discovery scan against a discovery schedule, optionally narrowed to a target IP/range and a specific MID Server. Creates a discovery_schedule_item; the scan runs as...
-
snow_scan_vulnerabilitiesExecuteScan for security vulnerabilities
-
snow_scripted_rest_apiExecuteInvoke a Scripted REST API resource at /api/<namespace>/<path> with chosen method (GET/POST/PUT/PATCH/DELETE) and optional JSON body. Use for instance-defined REST endpoints; fo...
-
snow_send_push_notificationExecuteSends a push notification to mobile devices. Can target specific users, groups, or all users.
-
snow_send_va_messageExecuteSends a message to Virtual Agent and gets the response. Simulates user interaction with the chatbot.
-
snow_sir_playbook_orchestrateExecuteUnified tool for orchestrating Security Incident Response (SIR) playbooks on sn_si_playbook and sn_si_playbook_task. Drives a playbook step-by-step against an incident, tracking...
-
snow_sleepExecuteSleep for specified milliseconds
-
snow_source_controlExecuteUnified tool for the ServiceNow Studio Source Control plugin. Bridges git-style operations against an application
-
snow_start_workflowExecute⚠️ LEGACY: Start a workflow on a record (deprecated - ServiceNow recommends Flow Designer). Workflows run asynchronously.
-
snow_test_integrationExecuteTest REST/SOAP integrations and external connections with validation
-
snow_test_mid_connectivityExecuteTest MID Server connectivity to external endpoints and diagnose network issues
-
snow_train_pi_solutionExecute🎯 Train native ServiceNow Predictive Intelligence solution. Starts ML training INSIDE ServiceNow (requires PI license). Training typically takes 10-30 minutes.
-
snow_train_va_nluExecuteTrigger training of a Virtual Agent NLU model by model_id via /api/now/v1/va/models/{id}/train. Training runs asynchronously on the platform; this call only starts the job.
-
snow_transform_dataExecuteTransform data using field mappings
-
snow_trigger_scheduled_jobExecute⚠️ UNRELIABLE: Attempts to trigger a scheduled job via sys_trigger, but CANNOT guarantee execution. The job runs asynchronously when the ServiceNow scheduler picks it up — this ...
-
snow_widget_testExecuteExecutes comprehensive widget testing with multiple data scenarios. Validates client/server scripts, API calls, dependencies, and generates coverage reports.
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.