Skip to content
Cisco AI Defense logo
CiscoAI Security

defenseclaw tool — DefenseClaw

Overview

defenseclaw tool — Manage tool-level block/allow lists.

Reference

Synopsis

defenseclaw tool [OPTIONS]

Subcommands

SubcommandDescription
allowAdd a tool to the allow list (skip scan gate).
blockAdd a tool to the block list.
listList tools in the block/allow list.
statusShow the block/allow status of a tool.
unblockRemove a tool from the block/allow list.

Description

Manage tool-level block/allow lists

Manage tool-level block/allow lists.

Tools are named actions exposed by skills or MCP servers. Block/allow rules can be global (any source) or scoped to a specific skill/MCP server with --source.

 Examples: defenseclaw tool block delete_file --reason "too dangerous" defenseclaw tool block delete_file --source filesystem defenseclaw tool allow search --source web-search defenseclaw tool list defenseclaw tool list --blocked defenseclaw tool status delete_file defenseclaw tool unblock delete_file

defenseclaw tool allow

Add a tool to the allow list (skip scan gate)

Add a tool to the allow list (skip scan gate).

Allow-listed tools bypass the scan gate during execution checks. Use --source to scope the rule to a specific skill or MCP server.

 Examples: defenseclaw tool allow search --source web-search --reason "vetted" defenseclaw tool allow read_file

defenseclaw tool allow <NAME>

Arguments

NameTypeArityRequired
nametext1yes

Options

FlagTypeDefaultEnv varRequiredDescription
--sourcetextnoScope to a specific skill or MCP server name
--reasontextnoReason for allowing

defenseclaw tool block

Add a tool to the block list

Add a tool to the block list.

Blocked tools are flagged at runtime when called. Use --source to scope the rule to a specific skill or MCP server; without --source the block applies globally regardless of which source exposes the tool.

 Examples: defenseclaw tool block delete_file --reason "destructive" defenseclaw tool block write_file --source filesystem --reason "read-only env"

defenseclaw tool block <NAME>

Arguments

NameTypeArityRequired
nametext1yes

Options

FlagTypeDefaultEnv varRequiredDescription
--sourcetextnoScope to a specific skill or MCP server name
--reasontextnoReason for blocking

defenseclaw tool list

List tools in the block/allow list

List tools in the block/allow list.

By default shows all tools. Use --blocked or --allowed to filter.

 Examples: defenseclaw tool list defenseclaw tool list --blocked defenseclaw tool list --allowed --json

Options

FlagTypeDefaultEnv varRequiredDescription
--blockedbooleannoShow only blocked tools
--allowedbooleannoShow only allowed tools
--jsonbooleannoOutput as JSON

defenseclaw tool status

Show the block/allow status of a tool

Show the block/allow status of a tool.

Checks scoped entry first (if --source given), then falls back to the global entry.

 Examples: defenseclaw tool status delete_file defenseclaw tool status write_file --source filesystem

defenseclaw tool status <NAME>

Arguments

NameTypeArityRequired
nametext1yes

Options

FlagTypeDefaultEnv varRequiredDescription
--sourcetextnoScope to a specific skill or MCP server name
--jsonbooleannoOutput as JSON

defenseclaw tool unblock

Remove a tool from the block/allow list

Remove a tool from the block/allow list.

Pass --source to remove a scoped entry; without --source removes the global entry.

 Examples: defenseclaw tool unblock delete_file defenseclaw tool unblock write_file --source filesystem

defenseclaw tool unblock <NAME>

Arguments

NameTypeArityRequired
nametext1yes

Options

FlagTypeDefaultEnv varRequiredDescription
--sourcetextnoScope to match the scoped entry (if any)

Usage

Inspect tool policy

defenseclaw tool list --blocked --json
defenseclaw tool status shell --source builtin --json

The source value disambiguates tools with the same name from different registries.

Block or allow a tool

defenseclaw tool block shell --source builtin --reason "requires review"
defenseclaw tool allow shell --source builtin --reason "approved"

Use unblock when you need to remove an explicit block entry.

Related