Agent tool risk
Know what a tool can do before it runs
Agent tools are permissions, not plugins. A tool configuration can grant access to files, shells, remote services, secrets, model-directed instructions, or irreversible actions. The risk is decided at config time — before the agent ever calls the tool.
CallLint helps review those surfaces before autonomous execution. It is deterministic and offline by default, returns SAFE, REVIEW, BLOCK, or UNKNOWN, and backs every verdict with evidence.
Why config-time review matters
- A broad filesystem root exposes everything under it.
- A shell command tool can run arbitrary commands.
- An unpinned package or unknown remote is a supply-chain surface.
- Tool names, descriptions, and schemas are attacker-controllable prompt surface.
Verdicts
- SAFE — no blockers under current evidence; not a runtime guarantee.
- REVIEW — human confirmation needed before autonomous use.
- BLOCK — do not enable until fixed or explicitly accepted.
- UNKNOWN — could not be verified statically; not SAFE.
In code review and CI
Run CallLint when a pull request changes agent-tool configuration. It can fail a job on a blocking verdict and upload SARIF to GitHub Code Scanning so config risk surfaces in review.
calllint scan .cursor/mcp.json --ci --no-emoji
calllint scan .cursor/mcp.json --sarif > calllint.sarifCallLint does not execute the tool, sandbox it, or prove it safe. It makes the permissions visible and evidence-backed before you decide.
Related: MCP security · Agent integration guide · Report schema