在 ArcGIS Pro Python 环境中执行 ArcPy 代码并返回 stdout、stderr 与异常信息。
AI agents invoke execute_arcpy_code to trigger actions in ArcGIS Pro Bridge MCP Server. What it does depends on the arguments the agent supplies, and its effects often reach beyond the immediate call — builds kicked off, notifications sent, workflows started.
This tool runs arbitrary Python code (ArcPy scripts) in the native ArcGIS Pro environment. This is a classic Execute pattern: the effects depend entirely on what code the AI agent provides. While not inherently destructive (no explicit delete/drop semantics in the name), code execution in a GIS context can access, modify, or delete geodatabases, shapefiles, and project data.
From the tool's definition execute_arcpy_code: 'executes ArcPy code in the ArcGIS Pro Python environment and returns stdout, stderr and exception information.' Explicitly permits arbitrary code execution in a native Python environment with access to geospatial data and file systems.
Documented attack patterns abuse exactly the kind of access execute_arcpy_code gives an agent:
PolicyLayer is an MCP gateway — it sits between your AI agents and ArcGIS Pro Bridge MCP Server, and nothing reaches the server without passing your rules. This is the rule we recommend for execute_arcpy_code:
{
"version": "1",
"default": "deny",
"tools": {
"execute_arcpy_code": {
"limits": [
{
"counter": "execute_arcpy_code_rate",
"window": "minute",
"max": 10,
"scope": "grant"
}
]
}
}
}execute_arcpy_code stays usable, but rate-capped — a runaway agent can't fire it dozens of times a minute. Everything else on the server is denied unless you say otherwise.
Free to start. No card required.
在 ArcGIS Pro Python 环境中执行 ArcPy 代码并返回 stdout、stderr 与异常信息。. It is categorised as a Execute tool in the ArcGIS Pro Bridge MCP Server MCP Server, which means it can trigger actions or run processes. Use rate limits and argument validation.
Register the ArcGIS Pro Bridge MCP Server MCP server in PolicyLayer and add a rule for execute_arcpy_code: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches ArcGIS Pro Bridge MCP Server. Nothing to install.
execute_arcpy_code is a Execute tool with high risk. Execute tools should be rate-limited and have argument validation enabled.
Yes. Add a rate_limit block to the execute_arcpy_code rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for execute_arcpy_code. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
execute_arcpy_code is provided by the ArcGIS Pro Bridge MCP Server MCP server (sangwxx/arcgis-pro-bridge-mcp-server). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Deterministic rules across all 13 ArcGIS Pro Bridge MCP Server tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.
Free to start. No card required.
13 ArcGIS Pro Bridge MCP Server tools catalogued and risk-classified — across an index of 42,500+ MCP servers.