Surgical update of one agent. Preferred path for any single-field edit on an existing agent — only the fields in updates / replace / unset are touched, every other field is left as-is. Same merge model as update_step. Merge semantics update_agent accepts three independent operations on the same c...
Risk signalsBulk/mass operation — affects multiple targets
Part of the Agentled server.
Free to start. No card required.
AI agents may call update_agent to permanently remove or destroy resources in Agentled. Without a policy, an autonomous agent could delete critical data in a loop with no way to undo the damage. PolicyLayer blocks destructive tools by default and requires explicit human approval before enabling them.
Without a policy, an AI agent could call update_agent in a loop, permanently destroying resources in Agentled. There is no undo for destructive operations. PolicyLayer blocks this tool by default and only allows it when a human explicitly approves the action.
Destructive tools permanently remove data. Block by default. Only enable with explicit approval workflows.
{
"version": "1",
"default": "deny",
"hide": [
"update_agent"
]
}See the full Agentled policy for all 119 tools.
These attack patterns abuse exactly the kind of access update_agent gives an agent. Each links to the full case and the policy that stops it:
Other destructive tools across the catalogue. The same approach applies to each: deny by default, or require human approval.
Surgical update of one agent. Preferred path for any single-field edit on an existing agent — only the fields in updates / replace / unset are touched, every other field is left as-is. Same merge model as update_step. Merge semantics update_agent accepts three independent operations on the same call. At least one must be non-empty. - updates — partial agent patch. Top-level fields (name, description, instructions, status, goals, chatModel, enabledApps, etc.) are shallow-replaced. Nested objects (configFiles, avatar) are deep-merged ONE LEVEL — keys you don't mention are preserved. Arrays (enabledApps, enabledActions, assignedWorkflowIds, linkedFileIds) are replaced wholesale. - replace: string[] — dot-paths whose values from updates are assigned WHOLESALE, skipping deep-merge. Use this when you genuinely want to wipe a dictionary (e.g. replace: ["configFiles"] swaps the whole configFiles dict instead of merging key-by-key). - unset: string[] — dot-paths to DELETE (e.g. ["goals"], ["configFiles.SOUL.md"]). Each must currently exist on the agent. - null in updates — shortcut for unset (e.g. updates: { goals: null }). Common edit recipes | Goal | Call | |---|---| | Update one config file (preserve others) | updates: { configFiles: { "SOUL.md": "new persona…" } } | | Replace all instructions | updates: { instructions: "new system prompt" } | | Rename agent slug/email address | updates: { slug: "pitchnight" } | | Assign workflows (full replace) | updates: { assignedWorkflowIds: ["wf-1", "wf-2"] } | | Add to assigned workflows | fetch via get_agent, modify locally, send full new array (or use manage_agent_workflows) | | Change avatar color only | updates: { avatar: { color: "#7C3AED" } } (iconName preserved) | | Activate (fail-fast on missing fields) | updates: { status: "active" } | | Deactivate / pause | updates: { status: "paused" } or updates: { status: "draft" } | | Unset a scalar field | updates: { goals: null } or unset: ["goals"] | | Wipe + reset configFiles wholesale | updates: { configFiles: { "SOUL.md": "…", "TOOLS.md": "…" } }, replace: ["configFiles"] | | Remove just one config file | unset: ["configFiles.SOUL.md"] | The trap. Default deep-merge for configFiles and avatar is one level — sending a partial dict preserves siblings. To force a full wipe, use replace: ["configFiles"]. Activation requirements (fail-fast on status: "active") When transitioning to active, the agent is validated: - instructions must be non-empty - configFiles["SOUL.md"] must be present, > 200 chars, and not contain the placeholder marker - configFiles["TOOLS.md"] must be present, > 200 chars, and not contain the placeholder marker If any check fails, the agent is NOT updated. The response is { ok: false, errors: ["…"] } (HTTP 400). Fix the missing fields and retry. For scheduled / autonomous behaviour, attach routines via create_routine AFTER activation. Routines are first-class entities — they are NOT a field on the agent. What update_agent will NOT do - Cannot change agent.id (immutable, 400) - Changing agent.slug moves the AgentEntity to a new {slug}@{workspace} id, rebinds routines/file links/channel sessions/chat sessions where available, and updates the agent email address derived from the slug. - Cannot create new agents (use create_agent) - Cannot delete agents (use delete_agent) - Does not edit routines (use update_routine / create_routine / pause_routine) - Does not validate the merged result is internally consistent — only the activation guard runs. Other invariants are caller's responsibility. Diff + warnings Response includes diff: { addedPaths, changedPaths, removedPaths } and warnings[]. ≥6 fields removed without explicit unset triggers a warning — usually a "you wiped a dictionary" signal.. It is categorised as a Destructive tool in the Agentled MCP Server, which means it can permanently delete or destroy data. Block by default and require explicit approval.
Register the Agentled MCP server in PolicyLayer and add a rule for update_agent: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Agentled. Nothing to install.
update_agent is a Destructive tool with critical risk. Critical-risk tools should be blocked by default and only enabled with explicit human approval.
Yes. Add a rate_limit block to the update_agent rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for update_agent. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
update_agent is provided by the Agentled MCP server (@agentled/mcp-server). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Deterministic rules across all 119 Agentled tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.
Free to start. No card required.
4,600+ MCP servers and 31,000+ tools scanned and risk-classified.