AI agents use set_clipboard to create or update resources in MacWright — usually the action step of a workflow, after the agent has gathered context. Every call changes real data in your MacWright environment.
This tool modifies system clipboard state, which is reversible but has significant security implications. An AI agent could overwrite clipboard contents to inject malicious text or HTML, affecting subsequent paste operations by the user. This represents a meaningful Write-class operation with potentially harmful consequences (e.g., replacing legitimate data with phishing links or commands).
From the tool's definition Set the system clipboard contents. Supports plain text and HTML.
Attacks that exploit this kind of access
Set the system clipboard contents. Supports plain text and HTML. When HTML is provided, both HTML and plain text are set so paste works in both rich and plain text editors. It is categorised as a Write tool in the MacWright MCP Server, which means it can create or modify data. Consider rate limits to prevent runaway writes.
Register the MacWright MCP server in PolicyLayer and add a rule for set_clipboard: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches MacWright. Nothing to install.
set_clipboard is a Write tool with medium risk. Write tools should be rate-limited to prevent accidental bulk modifications.
Yes. Add a rate_limit block to the set_clipboard rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for set_clipboard. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
set_clipboard is provided by the MacWright MCP server (ruchit-p/macwright). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Every MCP server has a record like this.
Type a name, get the same breakdown: verified identity, auth posture, risk grade, capabilities, recommended policy.
Teams ship this data inside their own products. See what a licence covers →