Zip a local folder (excluding node_modules, build output, and secrets by default) and start a WordPress theme conversion. Returns a jobId; poll wpconvert_check_status until
AI agents invoke wpconvert_convert_folder to trigger actions in Wpconvert Devtools. What it does depends on the arguments the agent supplies, and its effects often reach beyond the immediate call — builds kicked off, notifications sent, workflows started.
This tool reads local filesystem contents, packages them, and submits them to an external service to start a conversion job. This constitutes triggering an external operation whose effects depend on arguments (which folder is submitted). It spans Read (local file access) and Execute (starts remote job); Execute is the higher severity category.
From the tool's definition 'Zip a local folder... and start a WordPress theme conversion. Returns a jobId' — triggers an external conversion operation by uploading local files and initiating a remote job.
Attacks that exploit this kind of access
Zip a local folder (excluding node_modules, build output, and secrets by default) and start a WordPress theme conversion. Returns a jobId; poll wpconvert_check_status until. It is categorised as a Execute tool in the Wpconvert Devtools MCP Server, which means it can trigger actions or run processes. Use rate limits and argument validation.
Register the Wpconvert Devtools MCP server in PolicyLayer and add a rule for wpconvert_convert_folder: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Wpconvert Devtools. Nothing to install.
wpconvert_convert_folder is a Execute tool with high risk. Execute tools should be rate-limited and have argument validation enabled.
Yes. Add a rate_limit block to the wpconvert_convert_folder rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for wpconvert_convert_folder. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
wpconvert_convert_folder is provided by the Wpconvert Devtools MCP server (Gem43929/wpconvert-devtools). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
wpconvert_convert_folder is one line of Wpconvert Devtools's registry record.
The record carries the whole server: verified identity, auth posture, risk grade, every tool classified, recommended policy — re-checked continuously.
Teams ship this data inside their own products. See what a licence covers →