RECOMMENDED: Upload from file paths or URLs (2-5s per image) When to use: Pre-existing files on disk or web URLs Prerequisites: Vehicle must exist, valid file paths/URLs Batch support: 1-50 images per call (optimal: 10-20) Accepts: Local paths (/path/to/image.jpg), URLs (https://...) Auto-main im...
AI agents use upload_vehicle_images to create or update resources in StockSpark MCP Server — usually the action step of a workflow, after the agent has gathered context. Every call changes real data in your StockSpark MCP Server environment.
This tool creates or modifies data (vehicle images) in the dealership inventory system. It is reversible—images can be deleted via delete_vehicle_image—making it Write rather than Destructive. The batch support (1-50 images) and auto-main image assignment increase the potential blast radius if an agent uploads incorrect or malicious images to many vehicles, warranting medium severity.
From the tool's definition Tool description states 'Upload from file paths or URLs' and accepts 'Local paths' and 'URLs' to create image assets associated with vehicles. The sibling tool list includes 'delete_vehicle_image', confirming this tool creates reversible image records.
Attacks that exploit this kind of access
RECOMMENDED: Upload from file paths or URLs (2-5s per image) When to use: Pre-existing files on disk or web URLs Prerequisites: Vehicle must exist, valid file paths/URLs Batch support: 1-50 images per call (optimal: 10-20) Accepts: Local paths (/path/to/image.jpg), URLs (https://...) Auto-main image: First image automatically set as main if vehicle has no images Pro tip: For bulk uploads, prepare file list first. It is categorised as a Write tool in the StockSpark MCP Server MCP Server, which means it can create or modify data. Consider rate limits to prevent runaway writes.
Register the StockSpark MCP Server MCP server in PolicyLayer and add a rule for upload_vehicle_images: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches StockSpark MCP Server. Nothing to install.
upload_vehicle_images is a Write tool with medium risk. Write tools should be rate-limited to prevent accidental bulk modifications.
Yes. Add a rate_limit block to the upload_vehicle_images rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for upload_vehicle_images. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
upload_vehicle_images is provided by the StockSpark MCP Server MCP server (loukach/stockspark-mcp-poc). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Every MCP server has a record like this.
Type a name, get the same breakdown: verified identity, auth posture, risk grade, capabilities, recommended policy.
Teams ship this data inside their own products. See what a licence covers →