Template operations: list available templates, render a template, or search template documentation.\n\nActions:\n- list: List templates from @Templates folder with their types and preview\n- render: Render a template by title (saved template) or raw content string (for debugging). Rendering requi...
AI agents invoke noteplan_templates to trigger actions in Noteplan. What it does depends on the arguments the agent supplies, and its effects often reach beyond the immediate call — builds kicked off, notifications sent, workflows started.
The 'render' action executes template processing, which can run arbitrary template logic and helpers against content. While 'list' and 'search_docs' are read-only, the most severe action is 'render' which executes code/template logic. The blast radius is medium since it operates within NotePlan's sandboxed template engine, but arbitrary raw content rendering could trigger unintended operations.
From the tool's definition render: Render a template by title (saved template) or raw content string (for debugging). Rendering requires a recent NotePlan build.
Attacks that exploit this kind of access
Template operations: list available templates, render a template, or search template documentation.\n\nActions:\n- list: List templates from @Templates folder with their types and preview\n- render: Render a template by title (saved template) or raw content string (for debugging). Rendering requires a recent NotePlan build.\n- search_docs: Semantic search over bundled NotePlan template documentation. Requires query param. Uses embeddings API or NotePlan built-in embedding. Returns matched doc chunks ranked by relevance — use this to look up template syntax, helpers, and examples before writing templates.\n- get_doc: Retrieve the full text of a doc chunk by noteTitle and chunkIndex (from search_docs results). Use this to read complete method signatures, format tokens, and examples that may be truncated in search_docs previews.\n\nDebugging workflow: After creating or editing a template, use render with its title or raw content to verify the output. Check variables, date formatting, and logic. If rendering fails or produces unexpected output, read the plugin log via noteplan_plugins(action:. It is categorised as a Execute tool in the Noteplan MCP Server, which means it can trigger actions or run processes. Use rate limits and argument validation.
Register the Noteplan MCP server in PolicyLayer and add a rule for noteplan_templates: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Noteplan. Nothing to install.
noteplan_templates is a Execute tool with high risk. Execute tools should be rate-limited and have argument validation enabled.
Yes. Add a rate_limit block to the noteplan_templates rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for noteplan_templates. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
noteplan_templates is provided by the Noteplan MCP server (@noteplanco/noteplan-mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Every MCP server has a record like this.
Type a name, get the same breakdown: verified identity, auth posture, risk grade, capabilities, recommended policy.
Teams ship this data inside their own products. See what a licence covers →