Execute a user-defined prompt with given content.
AI agents invoke execute_custom_prompt to trigger actions in Notemd MCP Server. What it does depends on the arguments the agent supplies, and its effects often reach beyond the immediate call — builds kicked off, notifications sent, workflows started.
This tool allows execution of arbitrary user-defined prompts against content, which is a form of code execution. While it operates within a knowledge base/markdown context rather than system-level shell access, it still triggers external operations (LLM inference, content transformation) whose outcomes are not predetermined and depend entirely on the prompt input.
From the tool's definition Tool name is 'execute_custom_prompt' with description 'Execute a user-defined prompt with given content.' The verb 'execute' combined with 'user-defined prompt' indicates arbitrary code/instruction execution whose effects depend on prompt arguments.
Attacks that exploit this kind of access
Execute a user-defined prompt with given content. It is categorised as a Execute tool in the Notemd MCP Server MCP Server, which means it can trigger actions or run processes. Use rate limits and argument validation.
Register the Notemd MCP Server MCP server in PolicyLayer and add a rule for execute_custom_prompt: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Notemd MCP Server. Nothing to install.
execute_custom_prompt is a Execute tool with high risk. Execute tools should be rate-limited and have argument validation enabled.
Yes. Add a rate_limit block to the execute_custom_prompt rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for execute_custom_prompt. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
execute_custom_prompt is provided by the Notemd MCP Server MCP server (jacobinwwey/notemd-mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Every MCP server has a record like this.
Type a name, get the same breakdown: verified identity, auth posture, risk grade, capabilities, recommended policy.
Teams ship this data inside their own products. See what a licence covers →