// MCP TOOL REFERENCE
Medium Risk

ctrl_create_workflow

Create a CTRL workflow draft. ONE trigger + an ordered chain of up to 20 actions/conditions/utilities. Returns { workflowId, activateUrl }. Pass targetChain to pick which chain the workflow runs on — "base" (default, launchpads + Aerodrome + UniV4) or "ethereum" (UniV3 only, no launchpads, no cla...

Risk signalsBulk/mass operation — affects multiple targets

Part of the CTRL server.

ctrl_create_workflow can modify CTRL data, with no limits today. PolicyLayer puts allow, deny, and rate-limit rules on every call. Live in minutes.

SECURE CTRL →

Free to start. No card required.

WHEN AGENTS USE THIS TOOL

AI agents use ctrl_create_workflow to create or modify resources in CTRL. Write operations carry medium risk because an autonomous agent could trigger bulk unintended modifications. Rate limits prevent a single agent session from making hundreds of changes in rapid succession. Argument validation ensures the agent passes expected values.

Without a policy, an AI agent could call ctrl_create_workflow repeatedly, creating or modifying resources faster than any human could review. PolicyLayer's rate limiting ensures write operations happen at a controlled pace, and argument validation catches malformed or unexpected inputs before they reach CTRL.

RECOMMENDED POLICY

Write tools can modify data. A rate limit prevents runaway bulk operations from AI agents.

policy.json 
{
  "version": "1",
  "default": "deny",
  "tools": {
    "ctrl_create_workflow": {
      "limits": [
        {
          "counter": "ctrl_create_workflow_rate",
          "window": "minute",
          "max": 30,
          "scope": "grant"
        }
      ]
    }
  }
}

See the full CTRL policy for all 6 tools.

Get this rule live on your own CTRL server in minutes. PolicyLayer enforces it on every call, before it runs.

ENFORCE ON MY CTRL →

MORE CTRL TOOLS

Execute ctrl_fire_manual Write ctrl_activate Read ctrl_get_block_catalog Read ctrl_get_execution_logs Read ctrl_get_vault_status

WHAT CAN GO WRONG

These attack patterns abuse exactly the kind of access ctrl_create_workflow gives an agent. Each links to the full case and the policy that stops it:

Browse the full MCP Attack Database →

Every attack above starts with a tool call. PolicyLayer checks each one against your policy first, so ctrl_create_workflow only ever does what you allow.

SECURE CTRL →

OTHER WRITE TOOLS

Other write tools across the catalogue. The same approach applies to each: rate-limit and validate the arguments.

Firecrawl Web Scraping Server firecrawl_generate_llmstxt AbraFlexi contact_create AbraFlexi contact_update AbraFlexi evidence_create AbraFlexi evidence_update AbraFlexi invoice_issued_update

RELATED READING

FAQ

What does the ctrl_create_workflow tool do? +

Create a CTRL workflow draft. ONE trigger + an ordered chain of up to 20 actions/conditions/utilities. Returns { workflowId, activateUrl }. Pass targetChain to pick which chain the workflow runs on — "base" (default, launchpads + Aerodrome + UniV4) or "ethereum" (UniV3 only, no launchpads, no clanker/zora). CRITICAL: call ctrl_get_block_catalog FIRST (with the same chain value) to discover field names — every key in trigger.config and chain[].config must exactly match catalog fields[].key. Populate EVERY field the user expressed intent for. For pool.created (Token Launch, Base-only) set launchpad (e.g. ["bankr"]), keywordIncludes ("ai,agent,claw"), keywordMatchMode "any", keywordCategories (["ai_agents"]), safetyEnabled true, safetyRejectHoneypot true, safetyMinScore 50. For cypher.swap set tokenIn ("ETH"), tokenOut ("{{trigger.tokenAddress}}"), tokenOutMode "dynamic", amount (ETH units, e.g. 0.005 — ASK USER if not specified), slippage (15 for snipes), and autoSell* if user wants an exit (autoSellEnabled true, autoSellMode "multiple", autoSellMultiplier 2, autoSellPercent 100, autoSellReceiveToken "USDC"). For notify.telegram set message with {{token}}/{{amount}}/{{txHash}} placeholders. Interview the user for missing critical fields (amount, exit strategy, keywords) — do not silently default.. It is categorised as a Write tool in the CTRL MCP Server, which means it can create or modify data. Consider rate limits to prevent runaway writes.

How do I enforce a policy on ctrl_create_workflow? +

Register the CTRL MCP server in PolicyLayer and add a rule for ctrl_create_workflow: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches CTRL. Nothing to install.

What risk level is ctrl_create_workflow? +

ctrl_create_workflow is a Write tool with medium risk. Write tools should be rate-limited to prevent accidental bulk modifications.

Can I rate-limit ctrl_create_workflow? +

Yes. Add a rate_limit block to the ctrl_create_workflow rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.

How do I block ctrl_create_workflow completely? +

Set action: deny in the PolicyLayer policy for ctrl_create_workflow. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.

What MCP server provides ctrl_create_workflow? +

ctrl_create_workflow is provided by the CTRL MCP server (https://www.ctrl.build/api/mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.

Enforce policy on every CTRL tool call.

Deterministic rules across all 6 CTRL tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

SECURE CTRL →

Free to start. No card required.

4,600+ MCP servers and 31,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.