call_subroutine

AI agents invoke call_subroutine to trigger processes or run actions in U2 MCP Server. Execute operations can have side effects beyond the immediate call -- triggering builds, sending notifications, or starting workflows. Rate limits and argument validation are essential to prevent runaway execution.

call_subroutine can trigger processes with real-world consequences. An uncontrolled agent might start dozens of builds, send mass notifications, or kick off expensive compute jobs. Intercept enforces rate limits and validates arguments to keep execution within safe bounds.

Execute tools trigger processes. Rate-limit and validate arguments to prevent unintended side effects.

tools:
  call_subroutine:
    rules:
      - action: allow
        rate_limit:
          max: 10
          window: 60
        validate:
          required_args: true

See the full U2 MCP Server policy for all 22 tools.

View all 22 tools →

Agents calling execute-class tools like call_subroutine have been implicated in these attack patterns. Read the full case and prevention policy for each:

• Destructive Action Autonomy
• Runaway Tool Loops
• Prompt Injection via Tool Results

Browse the full MCP Attack Database →

Other tools in the Execute risk category across the catalogue. The same policy patterns (rate-limit, validate) apply to each.

call_subroutine is one of the high-risk operations in U2 MCP Server. For the full severity-focused view — only the high-risk tools with their recommended policies — see the breakdown for this server, or browse all high-risk tools across every MCP server.

• High-risk tools in U2 MCP Server →
• All high-risk MCP tools →

• Rate Limiting MCP Tool Calls: A Practical Guide
• MCP Security: Why Prompt Guardrails Aren't Enough
• The Case for Deterministic AI Agent Policies
• Why AI Agents Need a Control Plane