obdiag 集群信息查询功能,执行获取的指令列表,需要功能来自obdiag_display_list的返回结果。只需要返回obdiag_display_list结果 :param scene: 指令名,来自obdiag_display_list的返回结果,如 'obdiag display scene run --scene=observer.all_tenant',则赋值 scene=observer.all_tenant :param env_dict: 环境变量,来自obdiag_display_list的返回结果,只有在要求填入env的时候才需要赋值,如 'oobdiag di...
AI agents invoke obdiag_display_run to trigger actions in Mcp Oceanbase. What it does depends on the arguments the agent supplies, and its effects often reach beyond the immediate call — builds kicked off, notifications sent, workflows started.
This tool executes diagnostic commands against an OceanBase cluster using obdiag. It runs external commands/scripts based on provided scene and environment parameters. While it is described as a 'query' function, it actively executes a list of instructions on the cluster, making it Execute category.
From the tool's definition 执行获取的指令列表 (executes the retrieved instruction list); calls obdiag display scene run with scene parameters and env variables
Documented attack patterns abuse exactly the kind of access obdiag_display_run gives an agent:
PolicyLayer is an MCP gateway — it sits between your AI agents and Mcp Oceanbase, and nothing reaches the server without passing your rules. This is the rule we recommend for obdiag_display_run:
{
"version": "1",
"default": "deny",
"tools": {
"obdiag_display_run": {
"limits": [
{
"counter": "obdiag_display_run_rate",
"window": "minute",
"max": 10,
"scope": "grant"
}
]
}
}
}obdiag_display_run stays usable, but rate-capped — a runaway agent can't fire it dozens of times a minute. Everything else on the server is denied unless you say otherwise.
Free to start. No card required.
obdiag 集群信息查询功能,执行获取的指令列表,需要功能来自obdiag_display_list的返回结果。只需要返回obdiag_display_list结果 :param scene: 指令名,来自obdiag_display_list的返回结果,如 'obdiag display scene run --scene=observer.all_tenant',则赋值 scene=observer.all_tenant :param env_dict: 环境变量,来自obdiag_display_list的返回结果,只有在要求填入env的时候才需要赋值,如 'oobdiag display scene run --scene=observer.index --env database_name=test --env table_name=test',则赋值 env_dict={'database_name':'test','table_name':'test'} :param cluster_name: 集群配置文件名前缀,可选。如 ob_test 表示使用 ~/.obdiag/ob_test.yml。不传则使用默认 config.yml :return: 洞察结果. It is categorised as a Execute tool in the Mcp Oceanbase MCP Server, which means it can trigger actions or run processes. Use rate limits and argument validation.
Register the Mcp Oceanbase MCP server in PolicyLayer and add a rule for obdiag_display_run: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Mcp Oceanbase. Nothing to install.
obdiag_display_run is a Execute tool with high risk. Execute tools should be rate-limited and have argument validation enabled.
Yes. Add a rate_limit block to the obdiag_display_run rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for obdiag_display_run. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
obdiag_display_run is provided by the Mcp Oceanbase MCP server (oceanbase/awesome-oceanbase-mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Deterministic rules across all 134 Mcp Oceanbase tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.
Free to start. No card required.
134 Mcp Oceanbase tools catalogued and risk-classified — across an index of 42,500+ MCP servers.