Primary V3 PDF reader. With only sources, it auto-inspects and returns a routed Agent Document Twin; use auto_detail or explicit include_* options for precise control.
AI agents call read_pdf to retrieve information from Pdf Reader without modifying anything — typically the context-gathering step in research, monitoring, and reporting workflows, before the agent takes action elsewhere.
| Parameter | Type | Required | Description |
|---|---|---|---|
auto | boolean | — | Automatically inspect each source and choose high-value extraction options before reading. Defaults to true when no explicit include_* options are supplied; exp |
sources | array | Yes | |
auto_detail | object | — | Automatic extraction depth. fast returns the core document twin route, balanced adds trust/accessibility evidence, and full adds fuller text/HTML/structure outp |
include_html | boolean | — | Include a simple HTML rendering of extracted pages for preview, export, and downstream conversion. |
sample_pages | integer | — | Maximum number of pages to sample per source when automatic inspection is enabled. Defaults to 5. |
include_chunks | boolean | — | Include page-level citation-ready chunks with text, element IDs, page ranges, and best-effort bounding boxes. |
include_images | boolean | — | Extract and include embedded images from the PDF pages as base64-encoded data. |
include_tables | boolean | — | Detect and extract tables from PDF pages. Uses spatial clustering of selectable text coordinates and, when include_ocr_text_layer is enabled, OCR word boxes to |
include_outline | boolean | — | Include document outline/bookmark entries when the PDF exposes them. |
include_elements | boolean | — | Include agent-ready structured document elements with page numbers, stable IDs, provenance, and best-effort bounding boxes. |
include_markdown | boolean | — | Include a Markdown rendering of extracted pages for RAG, summarization, and agent context. |
include_metadata | boolean | — | Include metadata and info objects for each PDF. |
Parameters from the server's own tool schema.
This tool retrieves and queries PDF file content. It has no side effects—it does not create, modify, delete, or execute operations. The mechanism of 'auto-inspect' and content routing is still fundamentally a read operation. Severity is low because unauthorized PDF reading carries limited direct harm compared to write, execute, or destructive operations, though sensitivity depends on document classification.
From the tool's definition Tool name 'read_pdf' and description states it 'returns a routed Agent Document Twin' with options for reading PDF content.
Risk signalsAccepts file system path (sources[].path) · Accepts URL/endpoint input (sources[].url) · High parameter count (36 properties)
Attacks that exploit this kind of access
Primary V3 PDF reader. With only sources, it auto-inspects and returns a routed Agent Document Twin; use auto_detail or explicit include_* options for precise control. It is categorised as a Read tool in the Pdf Reader MCP Server, which means it retrieves data without modifying state.
read_pdf accepts 12 parameters: auto, sources, auto_detail, include_html, sample_pages, include_chunks, include_images, include_tables, include_outline, include_elements, include_markdown, include_metadata. Required: sources. The full parameter table on this page comes from the server's own tool schema.
Register the Pdf Reader MCP server in PolicyLayer and add a rule for read_pdf: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Pdf Reader. Nothing to install.
read_pdf is a Read tool with low risk. Read-only tools are generally safe to allow by default.
Yes. Add a rate_limit block to the read_pdf rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for read_pdf. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
read_pdf is provided by the Pdf Reader MCP server (@sylphx/pdf-reader-mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Every MCP server has a record like this.
Type a name, get the same breakdown: verified identity, auth posture, risk grade, capabilities, recommended policy.
Teams ship this data inside their own products. See what a licence covers →