Generate recursive thinking AI response with full history, using a different LLM (provider/model) for each alternative. Parameters: prompt (str, required). model/provider cannot be specified (randomly selected internally). Provider/model info for each alternative is always logged and included in ...
AI agents invoke cort.think.details_mixed_llm to trigger actions in CoRT MCP Server. What it does depends on the arguments the agent supplies, and its effects often reach beyond the immediate call — builds kicked off, notifications sent, workflows started.
This tool executes external API calls to multiple LLM providers to generate recursive reasoning chains. It is not a simple read (it initiates computation and external service calls), not a write (no persistent data creation), and not destructive or financial. The most accurate category is Execute, as it triggers external operations (LLM inference across providers) whose outputs depend on the input prompt.
From the tool's definition 'Generate recursive thinking AI response...using a different LLM (provider/model) for each alternative' — triggers external LLM API calls across multiple providers/models whose effects depend on the prompt argument
Documented attack patterns abuse exactly the kind of access cort.think.details_mixed_llm gives an agent:
PolicyLayer is an MCP gateway — it sits between your AI agents and CoRT MCP Server, and nothing reaches the server without passing your rules. This is the rule we recommend for cort.think.details_mixed_llm:
{
"version": "1",
"default": "deny",
"tools": {
"cort.think.details_mixed_llm": {
"limits": [
{
"counter": "cort.think.details_mixed_llm_rate",
"window": "minute",
"max": 10,
"scope": "grant"
}
]
}
}
}cort.think.details_mixed_llm stays usable, but rate-capped — a runaway agent can't fire it dozens of times a minute. Everything else on the server is denied unless you say otherwise.
Free to start. No card required.
Generate recursive thinking AI response with full history, using a different LLM (provider/model) for each alternative. Parameters: prompt (str, required). model/provider cannot be specified (randomly selected internally). Provider/model info for each alternative is always logged and included in the output and history. It is categorised as a Execute tool in the CoRT MCP Server MCP Server, which means it can trigger actions or run processes. Use rate limits and argument validation.
Register the CoRT MCP Server MCP server in PolicyLayer and add a rule for cort.think.details_mixed_llm: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches CoRT MCP Server. Nothing to install.
cort.think.details_mixed_llm is a Execute tool with high risk. Execute tools should be rate-limited and have argument validation enabled.
Yes. Add a rate_limit block to the cort.think.details_mixed_llm rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for cort.think.details_mixed_llm. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
cort.think.details_mixed_llm is provided by the CoRT MCP Server MCP server (kunihiros/cort-mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Start from CoRT MCP Server, add the rest of your stack, and see everything your agents can call. Then put policy on all of it.
Free to start. No card required.
8 CoRT MCP Server tools catalogued and risk-classified — across an index of 43,000+ MCP servers.