High-risk tools in LocalAnt
60 of the 216 tools in LocalAnt are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
adb_input_textExecuteType text on the device (audited).
-
adb_install_apkExecuteInstall an APK (path must be inside an allowed directory). Requires approval (risk 3).
-
adb_keyeventExecuteSend a key event (e.g. 4 = BACK).
-
adb_shellExecuteRun an adb shell command. Dangerous commands (rm -rf, reboot, wipe, …) are rejected. Risk 3.
-
adb_start_appExecuteStart an app by package/activity.
-
adb_stop_appExecuteForce-stop an app by package.
-
adb_swipeExecuteSwipe between coordinates.
-
adb_tapExecuteTap at x,y.
-
agent_runExecute${DEPRECATED} Delegate to a local coding agent. mode=plan returns a plan; mode=execute starts an execution task.
-
approval_approveExecuteApprove a pending request. scope
-
autopilotExecuteDelegate a natural-language local task to LocalAnt
-
bashExecuteRun a shell command (bash -c) inside an allowed directory. Pipelines and && chaining work. Blocked commands (sudo, rm -rf, dd, mkfs, …) are always rejected. Risk 3.
-
browser_clickExecuteClick an element by selector.
-
browser_closeExecuteClose the browser.
-
browser_evaluateExecuteEvaluate JavaScript in the page context (risk 4).
-
browser_openExecuteOpen a URL in an isolated browser and return the title.
-
browser_pressExecutePress a keyboard key (e.g. Enter, Tab).
-
browser_scrollExecuteScroll the page by (x, y) pixels.
-
browser_selectExecuteSelect an option in a <select> by selector + value.
-
browser_typeExecuteType into an input by selector.
-
browser_wait_forExecuteWait for a selector to appear.
-
coding_agent_continue_taskExecute${DEPRECATED} Continue a task with additional instructions on the same branch.
-
coding_agent_run_validationExecute${DEPRECATED} Run a validate/test command in a working directory.
-
coding_agent_start_taskExecute${DEPRECATED} Start an execution task with a coding agent.
-
coding_agent_stop_taskExecute${DEPRECATED} Stop a running task.
-
computer_double_clickExecuteDouble-click at x,y (screenshot coordinates). Requires approval (risk 3).
-
computer_dragExecuteDrag from x1,y1 to x2,y2 (screenshot coordinates). Requires approval (risk 3).
-
computer_left_clickExecuteLeft-click at x,y (screenshot coordinates). Requires approval (risk 3).
-
computer_move_mouseExecuteMove the mouse cursor to x,y (screenshot coordinates) without clicking.
-
computer_open_appExecuteOpen (or bring to front) an application by name, e.g.
-
computer_paste_textExecutePut text on the clipboard and paste it with Cmd+V (faster and more reliable than computer_type
-
computer_right_clickExecuteRight-click at x,y (screenshot coordinates). Requires approval (risk 3).
-
computer_scrollExecuteScroll the focused element by sending Page Up/Down key presses (click the target area first
-
computer_typeExecuteType text at the current focus (newlines become Return presses). Requires approval (risk 3).
-
desktop_commander_run_toolExecute${DEPRECATED} Run a Desktop Commander tool through the MCP bridge.
-
git_checkout_branchExecuteCheckout an existing branch.
-
lsp_diagnosticsExecuteRun TypeScript diagnostics (tsc --noEmit) for a project path. Falls back to install guidance if tsc is missing.
-
mcp_server_run_toolExecuteInvoke a tool on a downstream MCP server through the gateway. Risk 3.
-
openclaw_node_commandExecute${DEPRECATED} Run a command on an OpenClaw node.
-
openclaw_run_skillExecute${DEPRECATED} Run an OpenClaw skill.
-
openclaw_send_sessionExecute${DEPRECATED} Send a message to an OpenClaw session.
-
project_install_depsExecuteInstall project dependencies using the detected package manager.
-
project_run_validationExecuteRun the project
-
restart_gatewayExecuteReload configuration into the running gateway.
-
shell_request_command_approvalExecuteRequest approval to run a command that is NOT on the allowlist. Returns an approval id; once approved, call shell_run_approved_command.
-
shell_run_allowed_commandExecuteRun a command from the allowlist. Pipelines/redirection/chaining are rejected.
-
shell_run_approved_commandExecuteRun an arbitrary command (still subject to the hard blocklist). Requires approval (risk 3).
-
shell_run_backgroundExecuteStart a long-running command as a tracked background process. Returns a processId.
-
shell_stopExecuteStop a tracked background process.
-
shell_stop_processExecuteStop a tracked process.
-
skill_enableExecuteEnable a skill after reviewing its permissions. Validates first.
-
skill_publish_to_gitExecuteInitialize/commit a skill directory ready to push to a git remote.
-
skill_runExecuteRun a tool exposed by an enabled skill in an isolated subprocess.
-
tunnel_restartExecuteRestart the public tunnel.
-
tunnel_startExecuteStart the public tunnel on the live gateway port.
-
tunnel_stopExecuteStop the public tunnel.
-
video_studio_generate_audioExecuteGenerate free local narration audio with VOICEVOX first, macOS say preview fallback, or FFmpeg silence fallback.
-
video_studio_generate_videoExecuteRun assets, audio, captions, render, review, and publish_prepare in one local free pipeline.
-
video_studio_publish_videoExecuteDry-run or prepare a browser/manual publish action. Risk 4 for real publishing.
-
video_studio_render_videoExecuteRender a local upload-ready MP4 with Remotion primary or FFmpeg static-slide fallback.
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.