Generate recursive thinking AI response using a different LLM (provider/model) for each alternative. No history/details output. Parameters: prompt (str, required). model/provider cannot be specified (randomly selected internally). Provider/model info for each alternative is always logged and incl...
AI agents invoke cort.think.simple_mixed_llm to trigger actions in CoRT MCP Server. What it does depends on the arguments the agent supplies, and its effects often reach beyond the immediate call — builds kicked off, notifications sent, workflows started.
This tool invokes external LLM services (multiple providers/models) to process a prompt through recursive rounds of alternative generation and evaluation. It executes external operations with side effects (API calls, compute consumption) rather than merely reading static data.
From the tool's definition 'Generate recursive thinking AI response using a different LLM (provider/model) for each alternative' — triggers external LLM API calls across multiple providers/models, executing external operations whose effects depend on the prompt argument
Documented attack patterns abuse exactly the kind of access cort.think.simple_mixed_llm gives an agent:
PolicyLayer is an MCP gateway — it sits between your AI agents and CoRT MCP Server, and nothing reaches the server without passing your rules. This is the rule we recommend for cort.think.simple_mixed_llm:
{
"version": "1",
"default": "deny",
"tools": {
"cort.think.simple_mixed_llm": {
"limits": [
{
"counter": "cort.think.simple_mixed_llm_rate",
"window": "minute",
"max": 10,
"scope": "grant"
}
]
}
}
}cort.think.simple_mixed_llm stays usable, but rate-capped — a runaway agent can't fire it dozens of times a minute. Everything else on the server is denied unless you say otherwise.
Free to start. No card required.
Generate recursive thinking AI response using a different LLM (provider/model) for each alternative. No history/details output. Parameters: prompt (str, required). model/provider cannot be specified (randomly selected internally). Provider/model info for each alternative is always logged and included in the output. It is categorised as a Execute tool in the CoRT MCP Server MCP Server, which means it can trigger actions or run processes. Use rate limits and argument validation.
Register the CoRT MCP Server MCP server in PolicyLayer and add a rule for cort.think.simple_mixed_llm: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches CoRT MCP Server. Nothing to install.
cort.think.simple_mixed_llm is a Execute tool with high risk. Execute tools should be rate-limited and have argument validation enabled.
Yes. Add a rate_limit block to the cort.think.simple_mixed_llm rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for cort.think.simple_mixed_llm. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
cort.think.simple_mixed_llm is provided by the CoRT MCP Server MCP server (kunihiros/cort-mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Start from CoRT MCP Server, add the rest of your stack, and see everything your agents can call. Then put policy on all of it.
Free to start. No card required.
8 CoRT MCP Server tools catalogued and risk-classified — across an index of 43,000+ MCP servers.