Replace a unique string in a file with another string. The string to replace must appear exactly once in the file. Args: description: Why I'm making this edit old_str: String to replace (must be unique in file) path: Path to the file to edit new_str: String to replace with (empty to delete) Retur...
AI agents use str_replace to create or update resources in Open Computer Use — usually the action step of a workflow, after the agent has gathered context. Every call changes real data in your Open Computer Use environment.
This tool modifies file contents reversibly by replacing or deleting text within files. It is Write rather than Destructive because: (1) changes are typically reversible (the original content can be restored by running the tool again), (2) the operation targets specific strings, not entire files, and (3) there is no indication it performs unrecoverable operations like permanent deletion or data wiping.
From the tool's definition Tool description states it 'Replace[s] a unique string in a file with another string' and can delete content when new_str is empty. The parameters include 'path' (file to edit) and 'new_str' (replacement or deletion target).
Documented attack patterns abuse exactly the kind of access str_replace gives an agent:
PolicyLayer is an MCP gateway — it sits between your AI agents and Open Computer Use, and nothing reaches the server without passing your rules. This is the rule we recommend for str_replace:
{
"version": "1",
"default": "deny",
"tools": {
"str_replace": {
"limits": [
{
"counter": "str_replace_rate",
"window": "minute",
"max": 30,
"scope": "grant"
}
]
}
}
}str_replace stays usable, but capped — an agent stuck in a loop can't make hundreds of changes a minute. Everything else on the server is denied unless you say otherwise.
Free to start. No card required.
Replace a unique string in a file with another string. The string to replace must appear exactly once in the file. Args: description: Why I'm making this edit old_str: String to replace (must be unique in file) path: Path to the file to edit new_str: String to replace with (empty to delete) Returns: Success message or error. It is categorised as a Write tool in the Open Computer Use MCP Server, which means it can create or modify data. Consider rate limits to prevent runaway writes.
Register the Open Computer Use MCP server in PolicyLayer and add a rule for str_replace: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Open Computer Use. Nothing to install.
str_replace is a Write tool with medium risk. Write tools should be rate-limited to prevent accidental bulk modifications.
Yes. Add a rate_limit block to the str_replace rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for str_replace. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
str_replace is provided by the Open Computer Use MCP server (wide-moat/open-computer-use). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Deterministic rules across all 4 Open Computer Use tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.
Free to start. No card required.
4 Open Computer Use tools catalogued and risk-classified — across an index of 42,500+ MCP servers.