Send a message on behalf of an agent's user or an SMB across SMS, email, or voice. Five message types: transactional, reminder, follow_up, notification, marketing. Every send routes through a non-bypassable compliance gate (TCPA, GDPR, CASL, PDPL across 22 jurisdictions) that enforces opt-in cons...
Risk signalsAccepts raw HTML/template content (content) · High parameter count (12 properties) · Bulk/mass operation — affects multiple targets
Part of the Agent Broker server.
Free to start. No card required.
AI agents use send_message to create or modify resources in Agent Broker. Write operations carry medium risk because an autonomous agent could trigger bulk unintended modifications. Rate limits prevent a single agent session from making hundreds of changes in rapid succession. Argument validation ensures the agent passes expected values.
Without a policy, an AI agent could call send_message repeatedly, creating or modifying resources faster than any human could review. PolicyLayer's rate limiting ensures write operations happen at a controlled pace, and argument validation catches malformed or unexpected inputs before they reach Agent Broker.
Write tools can modify data. A rate limit prevents runaway bulk operations from AI agents.
{
"version": "1",
"default": "deny",
"tools": {
"send_message": {
"limits": [
{
"counter": "send_message_rate",
"window": "minute",
"max": 30,
"scope": "grant"
}
]
}
}
}See the full Agent Broker policy for all 14 tools.
These attack patterns abuse exactly the kind of access send_message gives an agent. Each links to the full case and the policy that stops it:
Other write tools across the catalogue. The same approach applies to each: rate-limit and validate the arguments.
Send a message on behalf of an agent's user or an SMB across SMS, email, or voice. Five message types: transactional, reminder, follow_up, notification, marketing. Every send routes through a non-bypassable compliance gate (TCPA, GDPR, CASL, PDPL across 22 jurisdictions) that enforces opt-in consent for marketing/promotional content — marketing without recorded consent is rejected at runtime with a structured compliance_violation receipt. Channel is abstracted: specify intent and recipient; the service selects and falls back across channels. EXAMPLE USER QUERIES THAT MATCH THIS TOOL: user: "Text the salon I'll be 10 minutes late" -> call send_message({"recipient_id": "smb_xyz", "channel_preference": "sms", "message": {"body": "Will be 10 minutes late."}, "country_code": "US"}) user: "Email the dentist about insurance" -> call send_message({"recipient_id": "smb_xyz", "channel_preference": "email", "message": {"body": "Do you accept Cigna?"}}) WHEN TO USE: Use to: (a) confirm a booking the agent just made, (b) reply to a customer who messaged the SMB first, (c) follow up on a quote the user requested, (d) send appointment reminders the SMB owes its customer, (e) send marketing messages to recipients who have opted in (with consent_record_id). The gate verifies consent on every send. WHEN NOT TO USE: Do NOT use for OTPs or critical transactional confirmations — use send_transactional_confirmation. Do NOT attempt to send marketing without a consent_record_id pointing at a real opt-in — the gate will reject the send and log a compliance_violation. Do NOT attempt bulk / list-based / drip / cold outreach — those are out of scope and the rate limiter will throttle abuse. COST: from $0.02 per_message (see preview_cost for exact) LATENCY: ~800ms EXECUTION: sync_fast (use get_outcome to retrieve result). It is categorised as a Write tool in the Agent Broker MCP Server, which means it can create or modify data. Consider rate limits to prevent runaway writes.
Register the Agent Broker MCP server in PolicyLayer and add a rule for send_message: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Agent Broker. Nothing to install.
send_message is a Write tool with medium risk. Write tools should be rate-limited to prevent accidental bulk modifications.
Yes. Add a rate_limit block to the send_message rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for send_message. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
send_message is provided by the Agent Broker MCP server (https://agent-broker-edge.basil-agent.workers.dev/mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Deterministic rules across all 14 Agent Broker tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.
Free to start. No card required.
4,600+ MCP servers and 31,000+ tools scanned and risk-classified.