提供原型根路径和展示服务的端口号,可以多次调用。注意此过程需检测并安装运行 web 服务所需的包,可能时间较长
AI agents invoke init to trigger actions in MCP-Prototype. What it does depends on the arguments the agent supplies, and its effects often reach beyond the immediate call — builds kicked off, notifications sent, workflows started.
The tool performs package detection and installation ('检测并安装运行 web 服务所需的包'), which is a form of code execution on the host system. While primarily a setup/initialization function, it executes commands to install dependencies and start a web service. This goes beyond simple data retrieval (Read) or reversible modification (Write) — it actively runs operations with external effects.
From the tool's definition Tool description states it 'provides prototype root path and display service port number' and 'detects and installs packages needed to run web service' — this involves initializing a web service with package installation, which is code execution.
Attacks that exploit this kind of access
提供原型根路径和展示服务的端口号,可以多次调用。注意此过程需检测并安装运行 web 服务所需的包,可能时间较长. It is categorised as a Execute tool in the MCP-Prototype MCP Server, which means it can trigger actions or run processes. Use rate limits and argument validation.
Register the MCP-Prototype MCP server in PolicyLayer and add a rule for init: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches MCP-Prototype. Nothing to install.
init is a Execute tool with high risk. Execute tools should be rate-limited and have argument validation enabled.
Yes. Add a rate_limit block to the init rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for init. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
init is provided by the MCP-Prototype MCP server (llxxbb/mcp-prototype). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Every MCP server has a record like this.
Type a name, get the same breakdown: verified identity, auth posture, risk grade, capabilities, recommended policy.
Teams ship this data inside their own products. See what a licence covers →