Execute TypeScript/JavaScript code with access to other MCP servers via HTTP proxy. Write code that makes fetch() requests to interact with available MCP servers. Excellent for chaining multiple operations, processing data, and building complex workflows.\n\nMCP Proxy endpoints:\n- GET http://loc...
AI agents invoke execute_code to trigger actions in Code Mode MCP Server. What it does depends on the arguments the agent supplies, and its effects often reach beyond the immediate call — builds kicked off, notifications sent, workflows started.
This tool permits execution of arbitrary code (TypeScript/JavaScript) in a sandbox with network access to call any MCP server tool. An AI agent could use this to execute malicious scripts, call destructive tools on other servers, exfiltrate data, or perform unauthorized operations.
From the tool's definition Tool explicitly enables "Execute TypeScript/JavaScript code" with "access to other MCP servers via HTTP proxy" and states it can "make fetch() requests to interact with available MCP servers." The description emphasizes executing arbitrary code in a sandbox…
Documented attack patterns abuse exactly the kind of access execute_code gives an agent:
PolicyLayer is an MCP gateway — it sits between your AI agents and Code Mode MCP Server, and nothing reaches the server without passing your rules. This is the rule we recommend for execute_code:
{
"version": "1",
"default": "deny",
"tools": {
"execute_code": {
"limits": [
{
"counter": "execute_code_rate",
"window": "minute",
"max": 10,
"scope": "grant"
}
]
}
}
}execute_code stays usable, but rate-capped — a runaway agent can't fire it dozens of times a minute. Everything else on the server is denied unless you say otherwise.
Free to start. No card required.
Execute TypeScript/JavaScript code with access to other MCP servers via HTTP proxy. Write code that makes fetch() requests to interact with available MCP servers. Excellent for chaining multiple operations, processing data, and building complex workflows.\n\nMCP Proxy endpoints:\n- GET http://localhost:3001/mcp/servers - List available servers\n- GET http://localhost:3001/mcp/{server}/tools - List tools for server\n- POST http://localhost:3001/mcp/call - Call tool (body: {server, tool, args})\n\nUse when you need to: combine multiple MCP operations, process/transform data between calls, implement loops or conditional logic, or build multi-step workflows. Network access only, 30-second timeout. It is categorised as a Execute tool in the Code Mode MCP Server MCP Server, which means it can trigger actions or run processes. Use rate limits and argument validation.
Register the Code Mode MCP Server MCP server in PolicyLayer and add a rule for execute_code: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Code Mode MCP Server. Nothing to install.
execute_code is a Execute tool with high risk. Execute tools should be rate-limited and have argument validation enabled.
Yes. Add a rate_limit block to the execute_code rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for execute_code. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
execute_code is provided by the Code Mode MCP Server MCP server (jx-codes/codemode-mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Start from Code Mode MCP Server, add the rest of your stack, and see everything your agents can call. Then put policy on all of it.
Free to start. No card required.
3 Code Mode MCP Server tools catalogued and risk-classified — across an index of 43,000+ MCP servers.