Decompose a goal and report which predicates the live TBox can/cannot answer. When executeResearch=true and corpusRoot is provided, also fetch artifacts from that directory, extract candidate triples, and assert them via kg_assert. Set useLlmDecomposer=true to enable LLM-augmented decomposition f...
AI agents use kg_research_goal to create or update resources in Predicate — usually the action step of a workflow, after the agent has gathered context. Every call changes real data in your Predicate environment.
While the tool's primary function is decomposition and research (read-like), the conditional ability to execute assertions that modify the knowledge graph through kg_assert elevates it to Write category. The tool can create new triples in the TBox, which is a reversible modification. It is not Destructive because assertions are not irreversible deletions.
From the tool's definition Tool description states it can "assert them via kg_assert" when executeResearch=true and corpusRoot is provided, indicating it modifies the knowledge graph by adding triples.
Attacks that exploit this kind of access
Decompose a goal and report which predicates the live TBox can/cannot answer. When executeResearch=true and corpusRoot is provided, also fetch artifacts from that directory, extract candidate triples, and assert them via kg_assert. Set useLlmDecomposer=true to enable LLM-augmented decomposition for questions that do not match a built-in pattern; the decomposer prefers MCP sampling (no API key needed) and falls back to ANTHROPIC_API_KEY, then to deterministic. It is categorised as a Write tool in the Predicate MCP Server, which means it can create or modify data. Consider rate limits to prevent runaway writes.
Register the Predicate MCP server in PolicyLayer and add a rule for kg_research_goal: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Predicate. Nothing to install.
kg_research_goal is a Write tool with medium risk. Write tools should be rate-limited to prevent accidental bulk modifications.
Yes. Add a rate_limit block to the kg_research_goal rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for kg_research_goal. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
kg_research_goal is provided by the Predicate MCP server (nordicagents/predicate). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Every MCP server has a record like this.
Type a name, get the same breakdown: verified identity, auth posture, risk grade, capabilities, recommended policy.
Teams ship this data inside their own products. See what a licence covers →