High-risk tools in Todos
30 of the 528 tools in Todos are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
begin_task_run_transactionExecutePreview or apply an idempotent local loop run transaction keyed by a stable loop/run id.
-
build_context_packExecuteGenerate local agent context pack (JSON + Markdown prompt bundle) for a task, project, or plan.
-
check_database_integrityExecuteRun PRAGMA quick_check and foreign key validation on local SQLite DB.
-
claim_next_agent_runExecuteAtomically claim the next queued local agent run.
-
dispatch_task_listExecuteLegacy/emergency only: send all tasks from a task list to a tmux window after a human explicitly chooses tmux delivery. Normal pending-task routing should use task-created headl...
-
dispatch_tasksExecuteLegacy/emergency only: send specific tasks to a tmux window after a human explicitly chooses tmux delivery. Normal pending-task routing should use task-created headless workflow...
-
dispatch_to_multipleExecuteLegacy/emergency fan-out: send the same tasks or task list to multiple tmux windows in sequence after a human explicitly chooses tmux delivery. A stagger delay is applied betwee...
-
enqueue_agent_runExecuteQueue a local agent run for a task or plan.
-
evaluate_terminal_watch_rulesExecuteEvaluate all local terminal notification watch rules against a sample event.
-
install_local_extensionExecuteInstall or update a local workflow extension from a manifest, directory, or offline bundle.
-
preview_user_scaffoldExecuteDry-run preview of a user scaffold with variables.
-
process_remindersExecuteFire due local reminders; optional desktop notify-send when enabled.
-
queue_agent_runExecuteQueue a local agent run for a task and attach a run ledger ID. Does not call hosted runners.
-
require_approval_gateExecuteCreate a local manual approval checkpoint before risky task or run work.
-
retry_agent_runExecuteManually re-queue a failed or cancelled agent run.
-
retry_agent_run_dispatchExecuteQueue a retry for a previous local agent dispatch.
-
run_agent_workflow_demoExecuteRun a scripted local agent workflow demo (agents, projects, tasks, runs) using an ephemeral database.
-
run_doctorExecuteRun local doctor diagnostics and optionally apply safe repairs after dry-run review.
-
run_due_dispatchesExecuteLegacy/emergency only: manually trigger all pending tmux dispatches that are due (scheduled_at <= now). Returns the count fired.
-
run_next_agent_dispatchExecuteRun the next queued local agent dispatch, optionally as a dry-run.
-
run_release_checksExecuteRun public package release and supply-chain hardening checks.
-
run_saved_viewExecuteExecute a saved view by slug or id.
-
run_verificationExecuteRun a local verification provider and store normalized evidence record.
-
run_verification_providerExecuteRun a local verification provider and optionally record task verification evidence.
-
simulate_agent_replayExecuteDry-run replay a recorded local agent context pack or run fixture without mutating the task database.
-
start_focus_sessionExecuteStart a local focus session for a task, plan, run, or general agent work.
-
test_local_event_hookExecuteDeliver a test event to one configured local event hook.
-
test_local_extension_compatibilityExecuteRun local CLI/MCP compatibility checks and runner sandbox dry-runs for an extension without installing it.
-
test_terminal_notification_ruleExecuteEvaluate one local terminal notification watch rule against a sample event.
-
watch_source_todosExecuteRun finite local source TODO watcher scans. Uses polling, respects .gitignore/excludes, and can dry-run or apply extracted tasks.
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.