Saves the full source code of a JavaScript script to a local file. PREFERRED over get_script_source whenever you need the whole file or want to search/read a minified script. This tool auto-formats (beautifies) minified .js/.mjs/.ts output via prettier so the saved file is human-readable. Use thi...
AI agents use save_script_source to create or update resources in JS Reverse MCP — usually the action step of a workflow, after the agent has gathered context. Every call changes real data in your JS Reverse MCP environment.
This tool writes data to the local filesystem by saving script source code to a file. It creates or overwrites a local file, which is a Write operation. It is not purely Read (it has filesystem side effects), not Execute (it doesn't run code), and not Destructive (it creates/overwrites a file reversibly).
From the tool's definition 'Saves the full source code of a JavaScript script to a local file' and 'auto-formats (beautifies) minified .js/.mjs/.ts output via prettier so the saved file is human-readable'
Attacks that exploit this kind of access
Saves the full source code of a JavaScript script to a local file. PREFERRED over get_script_source whenever you need the whole file or want to search/read a minified script. This tool auto-formats (beautifies) minified .js/.mjs/.ts output via prettier so the saved file is human-readable. Use this for any non-trivial source inspection; only fall back to get_script_source for tiny known regions (e.g. ±20 lines around a breakpoint). Typical workflow: call save_script_source, then inspect the saved local file with your available file-reading or search tools. NOTE: because the saved file may be beautified, its line numbers may not match the original script. If you later need to set a breakpoint, use the original URL/scriptId with set_breakpoint_on_text rather than line numbers from the saved file. It is categorised as a Write tool in the JS Reverse MCP MCP Server, which means it can create or modify data. Consider rate limits to prevent runaway writes.
Register the JS Reverse MCP server in PolicyLayer and add a rule for save_script_source: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches JS Reverse MCP. Nothing to install.
save_script_source is a Write tool with medium risk. Write tools should be rate-limited to prevent accidental bulk modifications.
Yes. Add a rate_limit block to the save_script_source rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for save_script_source. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
save_script_source is provided by the JS Reverse MCP server (zhizhuodemao/js-reverse-mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.