Manage app storage: presigned upload/download URLs, list/delete objects, update config. Actions: - "upload_url": Get a presigned PUT URL to upload a file (expires in 15 min) - "download_url": Get a presigned GET URL for a stored file (expires in 1 hour) - "list": List all objects in app storage w...
Risk signalsAccepts file system path (filename)
Part of the Mcp server.
Free to start. No card required.
AI agents may call manage_storage to permanently remove or destroy resources in Mcp. Without a policy, an autonomous agent could delete critical data in a loop with no way to undo the damage. PolicyLayer blocks destructive tools by default and requires explicit human approval before enabling them.
Without a policy, an AI agent could call manage_storage in a loop, permanently destroying resources in Mcp. There is no undo for destructive operations. PolicyLayer blocks this tool by default and only allows it when a human explicitly approves the action.
Destructive tools permanently remove data. Block by default. Only enable with explicit approval workflows.
{
"version": "1",
"default": "deny",
"hide": [
"manage_storage"
]
}See the full Mcp policy for all 47 tools.
These attack patterns abuse exactly the kind of access manage_storage gives an agent. Each links to the full case and the policy that stops it:
Other destructive tools across the catalogue. The same approach applies to each: deny by default, or require human approval.
Manage app storage: presigned upload/download URLs, list/delete objects, update config. Actions: - "upload_url": Get a presigned PUT URL to upload a file (expires in 15 min) - "download_url": Get a presigned GET URL for a stored file (expires in 1 hour) - "list": List all objects in app storage with metadata - "delete": Permanently delete an object from S3 + database - "update_config": Update storage config (e.g., publicReadEnabled) Parameters by action: upload_url: { app_id, action: "upload_url", filename, content_type, size_bytes, public? } download_url: { app_id, action: "download_url", object_id } list: { app_id, action: "list" } delete: { app_id, action: "delete", object_id } update_config: { app_id, action: "update_config", publicReadEnabled? } object_id is the UUID returned from upload or list. Do NOT pass the s3_key / bucket path (e.g. app_id/user_id/uuid_file.jpg) — that is metadata only and is not a usable URL. Upload workflow: 1. action: "upload_url" → returns { upload_url, object_id, expires_at } 2. PUT the file to upload_url with the matching Content-Type header 3. Persist object_id (e.g. users.avatar_id) 4. Later: action: "download_url" with that object_id Set public: true on upload_url to make the file downloadable by any authenticated user (e.g. post images, avatars). Files are private by default. publicReadEnabled (update_config): - true: any authenticated user can download any file (uploads/deletes still user-scoped) - false (default): users can only download their own files; platform auth (API key) can still access any file Limits & errors: - Files: max 10 MB each (QUOTA_FILE_SIZE_EXCEEDED) - QUOTA_STORAGE_EXCEEDED: delete unused files or upgrade plan - RESOURCE_NOT_FOUND: app or object doesn't exist (verify object_id, not s3_key) - delete is idempotent (no-op if already deleted); upload/download URL generation is not (new URL each call) Warning: "delete" cannot be undone. Update DB references (e.g. users.avatar_id) first.. It is categorised as a Destructive tool in the Mcp MCP Server, which means it can permanently delete or destroy data. Block by default and require explicit approval.
Register the MCP server in PolicyLayer and add a rule for manage_storage: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Mcp. Nothing to install.
manage_storage is a Destructive tool with critical risk. Critical-risk tools should be blocked by default and only enabled with explicit human approval.
Yes. Add a rate_limit block to the manage_storage rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for manage_storage. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
manage_storage is provided by the MCP server (@butterbase/mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Deterministic rules across all 47 Mcp tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.
Free to start. No card required.
4,600+ MCP servers and 31,000+ tools scanned and risk-classified.