AI agents use channel_join to create or update resources in Wmux — usually the action step of a workflow, after the agent has gathered context. Every call changes real data in your Wmux environment.
Joining a channel is a reversible write operation (membership can be revoked/left). It modifies the agent's participation state in a channel. The history parameter is a read concern but the primary action is the join/write. Medium severity because it could expose the agent to channel communications or allow unintended presence in channels.
From the tool's definition 'Join a channel as a member' — modifies membership state by adding the agent to a channel
Attacks that exploit this kind of access
Join a channel as a member. By default joins with full history (historyFromSeq=0); pass include_history=false to start at the channel\. It is categorised as a Write tool in the Wmux MCP Server, which means it can create or modify data. Consider rate limits to prevent runaway writes.
Register the Wmux MCP server in PolicyLayer and add a rule for channel_join: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Wmux. Nothing to install.
channel_join is a Write tool with medium risk. Write tools should be rate-limited to prevent accidental bulk modifications.
Yes. Add a rate_limit block to the channel_join rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for channel_join. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
channel_join is provided by the Wmux MCP server (openwong2kim/wmux). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
channel_join is one line of Wmux's registry record.
The record carries the whole server: verified identity, auth posture, risk grade, every tool classified, recommended policy — re-checked continuously.
Teams ship this data inside their own products. See what a licence covers →