The Python MCP server exposes tools that can move money, delete data, or destroy resources. Without policy enforcement, an autonomous agent has unrestricted access to every one of them.
Destructive tools (conda, poetry) permanently delete resources. There is no undo. An agent calling these in a retry loop causes irreversible damage.
Write operations (pip-install, uv-install) modify state. Without rate limits, an agent can make hundreds of changes in seconds -- faster than any human can review or revert.
Execute tools (uv-run) trigger processes with side effects. Builds, notifications, workflows -- all fired without throttling.
These Python tools can modify, create, or destroy resources. Without a policy, your agent has unrestricted access to all of them.
pip-install Runs pip install and returns a structured summary of installed packages. WARNING: may execute untrusted code. Write uv-install Runs uv pip install and returns a structured summary of installed packages. WARNING: may execute untrusted code. Write conda Runs conda commands (list, info, env-list, create, remove, update) and returns structured JSON output. Destructive poetry Runs Poetry commands and returns structured output. Supports install, add, remove, show, build, update, lock, check, and export actions. Destructive uv-run Runs a command in a uv-managed environment and returns structured output. Execute These rules are based on the tool categories exposed by the Python MCP server. Adjust the limits to match your use case.
conda:
rules:
- action: deny
on_deny: "Destructive operations blocked by policy" Destructive tools should never be available to autonomous agents without human approval.
pip-install:
rules:
- name: "write-rate-limit"
rate_limit: 30/hour
on_deny: "Write rate limit reached" Prevents bulk unintended modifications from agents caught in loops.
black:
rules:
- action: allow
rate_limit: 60/minute Controls API costs and prevents retry loops from exhausting upstream rate limits.
This is the complete policy file for Python. It lists every tool with suggested default rules. Download it, adjust the limits, and run with Intercept.
version: "1" default: "deny" tools: conda: rules: - action: deny on_deny: "Destructive operation blocked by policy" poetry: rules: - action: deny on_deny: "Destructive operation blocked by policy" uv-run: rules: - action: allow rate_limit: 10/hour validate: required_args: true black: rules: - action: allow rate_limit: 60/minute mypy: rules: - action: allow rate_limit: 60/minute pip-audit: rules: - action: allow rate_limit: 60/minute pip-list: rules: - action: allow rate_limit: 60/minute pip-show: rules: - action: allow rate_limit: 60/minute pyenv: rules: - action: allow rate_limit: 60/minute pytest: rules: - action: allow rate_limit: 60/minute ruff-check: rules: - action: allow rate_limit: 60/minute ruff-format: rules: - action: allow rate_limit: 60/minute pip-install: rules: - action: allow rate_limit: 30/hour uv-install: rules: - action: allow rate_limit: 30/hour
Download the policy
curl -o io-github-dave-london-pare-python.yaml https://raw.githubusercontent.com/policylayer/intercept/main/policies/io-github-dave-london-pare-python.yaml
Run Intercept in front of the server
intercept -c io-github-dave-london-pare-python.yaml -- npx -y @@paretools/python
Works with any MCP client:
Every tool call is now checked against your policy before it reaches Python. Denied calls are blocked and logged. Allowed calls pass through with no latency impact.
Open source. One binary. Zero dependencies.
npx -y @policylayer/intercept