Skip to main content
Version: 2026.1

Tool Security Reference

This page is the authoritative reference for which SDK built-in tools an agent can use, how path sandboxing works, and how permissions are auto-derived from an agent's configuration. For the mechanism that enforces all of this, see Architecture → Tool Security.

This page covers SDK built-in tools only - the filesystem / web / interactive tools the Copilot SDK ships with. MCP tools (Pimcore PHP tools, third-party MCP servers) are governed by Pimcore user permissions via cookie forwarding. Which MCP groups an agent can see is controlled by pimcoreMcpServers / pimcoreMetaGroups - see MCP Servers.

What tools does an agent get?

Four categories - enabled by default, opt-in, always blocked, SDK-managed. The agent's YAML only touches opt-in tools; everything else is policy.

Enabled by default

Every agent automatically has these tools. No configuration needed.

ToolWhat it does
viewRead file contents (path-sandboxed)
grepSearch file contents (path-sandboxed)
globMatch files by pattern (path-sandboxed)
skillLoads skill content into the agent's system context
report_intentSDK-internal - declares the agent's intended action
fetch_copilot_cli_documentationSDK-internal - documentation lookup

skill must remain enabled. The SDK uses this tool to inject skill content into the system message. Excluding it silently disables skillDirectories - no skill content reaches the agent and no error is raised. The agent-server keeps skill in ALWAYS_ACTIVE_TOOLS; removing it will break skill loading.

Opt-in via includeSdkTools

These are disabled by default. Enable them per agent in the YAML config.

ToolWhat it doesNotes
createCreate new files on diskPath-sandboxed. Enabling auto-approves the write permission.
editEdit existing files with diffsPath-sandboxed. Enabling auto-approves the write permission.
web_fetchFetch a URL and return content as markdownEnabling auto-approves the url permission.
ask_userInteractively ask the user a question mid-turnSee Features → Interactive Input.

Example:

includeSdkTools:
- web_fetch
- ask_user

Listing a default tool (view, grep, glob) is harmless but unnecessary - they are already enabled.

Task-session ask_user exclusion

ask_user is force-excluded from every turn of a headless agent task, even for an agent that lists it under includeSdkTools. This is applied server-side from the session's origin column, not something an agent configuration can opt back into for its own task runs - an unattended task has no human to answer a mid-turn question. See Architecture → Tool Security → Task-session tool overrides.

Always blocked

These tools are denied unconditionally at the runtime hook level. Even if the LLM hallucinates a call to them, the call is rejected before it reaches the SDK with "This tool is not available in the agent environment".

ToolWhy blocked
bashShell command execution
list_bashList interactive bash sessions
read_bashRead from an interactive bash session
write_bashWrite to an interactive bash session
stop_bashStop an interactive bash session
taskSpawns sub-agents that would bypass tool restrictions

All denials are audit-logged via logger.audit() with the tool name, session id, and request kind - searchable from the structured log stream.

SDK-managed (cannot be controlled)

Some tools are injected internally by the SDK and are always available. They are not returned by the tool list API and cannot be disabled through agent configuration.

ToolWhat it does
sqlPer-session SQLite scratch database (with todos / todo_deps tables)

Auto-derived permissions

Agent configurations do not have a permissions field. The agent-server auto-derives the SDK permission set from the resolved config - no manual listing needed.

KindApproved when
readAlways approved (default read tools are always on)
mcpThe agent has any MCP server (mcpServers, pimcoreMcpServers, or pimcoreMetaGroups)
urlweb_fetch is listed in includeSdkTools
writecreate or edit is listed in includeSdkTools
shellNever approved. The PreToolUseHook blocks every shell tool unconditionally

Execution user and information disclosure

Agent configurations can optionally set executionUser, a Pimcore username the whole session runs as instead of the chat initiator. Full field reference: Configuration → Agents → Execution user. Resolution mechanism: Architecture → Authentication → Execution user resolution.

AspectBehavior
Who can set itAdministrators only. The server rejects a changed value coming from a non-admin request.
Studio visibilityNon-admins see the field read only on the agent's General tab; Pimcore Studio shows a warning next to it once it carries a value.
Unresolvable valueSession creation fails with an error, no silent fallback to the initiator (fail closed).
Session ownershipStays with the initiator; only the acting identity changes.

Security implication: the execution user can hold more permissions than the users who chat with the agent. Because the agent acts as the execution user, its responses (and any HITL proposal it creates) can surface information - object content, listings, search results, proposed values - that the chatting users cannot access directly. Recommended mitigation: combine an execution user with the agent's own run permission so only an intended audience can start sessions with that agent.

See Architecture → Tool Security → Execution user and information disclosure for the mechanism behind this table.

Path sandboxing

File-system tools (view, grep, glob, create, edit) are restricted to two per-session directories:

/app/uploads/{chatSessionId}/uploaded/    ← user-uploaded files
/app/uploads/{chatSessionId}/staged/ ← staged Pimcore asset copies

A tool call with a path outside these directories is denied with "Access denied: path is outside the allowed scope". For the pre-tool-use hook that enforces this, see Architecture → Tool Security.

Read-only path: /tmp/

When an MCP tool returns a response larger than ~30 KB, the Copilot SDK writes the full output to a temp file in /tmp/ and tells the LLM to use view or grep to read it. /tmp/ is a read-only path with tighter restrictions than the session sandbox:

ToolSpecific file (e.g. /tmp/123-copilot-tool-output-abc.txt)Directory (/tmp/)
viewalloweddenied
grepalloweddenied
globdenieddenied
create/editdenieddenied

view and grep can read a specific file by exact path but cannot target the directory itself - a directory listing could expose temp files from other sessions and a recursive grep could leak their contents. glob is always denied on read-only paths.

Startup validation

On startup (deferred 5 seconds to let the SDK initialize) and on every admin reload, the agent-server validates every agent's includeSdkTools entries. Warnings are logged when:

  • A tool name is not in the valid configurable set (view, grep, glob, create, edit, web_fetch, ask_user).
  • A tool name is not found in the current SDK's tool list.

Inspect validation results manually:

curl -X POST \
-H "Authorization: Bearer $AGENT_SERVER_ADMIN_TOKEN" \
http://localhost/agent-server/api/admin/reload-agents

The response includes a toolWarnings array alongside any modelWarnings.