AI agents invoke finish to trigger actions in Rr. What it does depends on the arguments the agent supplies, and its effects often reach beyond the immediate call — builds kicked off, notifications sent, workflows started.
The finish command triggers execution of the target program to a specific point (function return), which is a debugger control operation that causes the program to run. While not arbitrary shell command execution, it is analogous to 'continue' or 'step' debugger commands that resume and control code execution.
From the tool's definition Tool description states 'Run until the current function returns' — this executes code/program flow control in a debugger context. The tool is part of an rr (Mozilla's record-and-replay debugger) orchestration server.
Attacks that exploit this kind of access
Run until the current function returns, then stop at the caller. It is categorised as a Execute tool in the Rr MCP Server, which means it can trigger actions or run processes. Use rate limits and argument validation.
Register the Rr MCP server in PolicyLayer and add a rule for finish: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Rr. Nothing to install.
finish is a Execute tool with high risk. Execute tools should be rate-limited and have argument validation enabled.
Yes. Add a rate_limit block to the finish rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for finish. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
finish is provided by the Rr MCP server (jnjaeschke/rr-mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Every MCP server has a record like this.
Type a name, get the same breakdown: verified identity, auth posture, risk grade, capabilities, recommended policy.
Teams ship this data inside their own products. See what a licence covers →