MCP tool risk levels
Every tool in the catalogue is classified by what it can do to your systems — from harmless retrieval to irreversible deletion and real money moved. Browse by level to see which tools share a blast radius, which attacks target each class, and the policy pattern that contains them.
THE ECOSYSTEM'S RISK PROFILE
61% of catalogued MCP tools only read. The rest — 86,712 tools — change something when called, and 7.8% can do something irreversible.
THE FOUR LEVELS
- Critical 17,536 tools →
Destructive and financial operations — irreversible by nature. 12,718 destructive tools that permanently delete or overwrite, plus 4,818 that move real money. Block by default; require human approval.
- High 21,510 tools →
Execute operations whose effects depend on the arguments an agent supplies — builds, scripts, notifications, compute. Rate-limit and validate arguments; approval for expensive paths.
- Medium 47,666 tools →
Write operations that create or modify data reversibly. Safe at human pace, dangerous at agent pace — a rate cap stops an agent making hundreds of changes a minute.
- Low 137,400 tools →
Read-only retrieval with no side effects. The residual risks are cost (retry loops) and data exposure through what the agent reads — rate caps and scoped access cover both.
LARGEST CRITICAL SURFACE
The servers exposing the most critical-risk tools. Each links to a full scan report with a starter policy:
BROWSE BY CAPABILITY
Each category maps to a behaviour pattern with its own recommended policy approach.
HOW SEVERITY IS ASSIGNED
Severity follows from reversibility. Destructive and financial operations share critical severity because both produce outcomes no later control can undo. Execute operations score high because their effects depend on whatever arguments the agent supplies. Reversible writes are medium; retrieval is low. Every classification is grounded in the tool's own definition — name, description, and input schema — and carries quoted evidence on its tool page.
For the full picture of how MCP fails in production and the enforcement architecture that works, start with the MCP Security reference.
FAQ
A tool whose effects cannot be undone: destructive operations (permanent deletion or overwrite) and financial operations (payments, refunds, trades). The catalogue currently classifies 17,536 tools as critical across 8,805 servers. The recommended policy is deny by default with explicit human approval.
Every tool in the catalogue is classified by what it actually does — its name, description, and input schema — into Read, Write, Execute, Destructive, or Financial. Classifications are verified with quoted evidence from the tool's own definition, and severity follows from reversibility: anything irreversible is critical, argument-dependent execution is high, reversible writes are medium, retrieval is low.
Both produce irreversible outcomes. A deleted production branch and a sent payment have the same property: no policy applied after the call can take it back. That is why the recommended control for both is the same — block before the call, not audit after it.
A PolicyLayer policy targets individual tools. A two-line rule hides a server's destructive tools from the agent entirely while every other tool keeps working — the recommended starter policy on every server page in the catalogue does exactly this.
Let agents act without letting them run wild.
Route your MCP servers through PolicyLayer and every tool call is checked against your policy before it runs — allow, deny, or require approval. Per-identity grants. Full audit log. Live in minutes.
Free to start. No card required.
220,000+ tools risk-classified across 43,000+ MCP servers.