Search restaurants. Location auto-filled. DO NOT ask user - just search based on what they want.
AI agents call search_restaurants to retrieve information from MCP A2A AP2 Food Delivery & Payments without modifying anything — typically the context-gathering step in research, monitoring, and reporting workflows, before the agent takes action elsewhere.
search_restaurants retrieves data (restaurant listings) based on query parameters with no side effects, creation, modification, deletion, or financial transaction. The auto-filled location parameter does not change its fundamental nature as a read operation. This is the lowest-risk tool on a payment-enabled food delivery server.
From the tool's definition Tool performs 'Search restaurants' - a retrieval operation with 'Location auto-filled', indicating it queries available restaurants without modifying state.
Attacks that exploit this kind of access
Search restaurants. Location auto-filled. DO NOT ask user - just search based on what they want. It is categorised as a Read tool in the MCP A2A AP2 Food Delivery & Payments MCP Server, which means it retrieves data without modifying state.
Register the MCP A2A AP2 Food Delivery & Payments MCP server in PolicyLayer and add a rule for search_restaurants: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches MCP A2A AP2 Food Delivery & Payments. Nothing to install.
search_restaurants is a Read tool with low risk. Read-only tools are generally safe to allow by default.
Yes. Add a rate_limit block to the search_restaurants rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for search_restaurants. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
search_restaurants is provided by the MCP A2A AP2 Food Delivery & Payments MCP server (tas1337/mcp-a2a-ap2-im-hungry). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Every MCP server has a record like this.
Type a name, get the same breakdown: verified identity, auth posture, risk grade, capabilities, recommended policy.
Teams ship this data inside their own products. See what a licence covers →