> ## Documentation Index
> Fetch the complete documentation index at: https://slackhive.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Tools

> What the agent can invoke - MCP servers, internet access, and shell access.

The **Tools** tab is where you control what an agent can invoke. There are two sections: **MCP servers** and **Capabilities**.

Open an agent → **Tools** tab.

## MCP servers

The MCP grid lists every server in your catalog (see [MCP Servers](/configuration/mcp-servers) for adding servers). Check a server to assign it - the agent gets access to all of that server's tools.

Examples:

* Assign `redshift-mcp` → agent can run SQL queries
* Assign `github` → agent can open PRs, read issues, etc.
* Assign `datadog-mcp` → agent can query logs

Assign only what the agent needs for its job, then click **Save Assignments**.

## Capabilities

Two toggles below the MCP grid.

### Internet Access

Enables web search and fetch - the agent can look up current information or read content from a URL on demand. Leave off by default; turn on for agents that do research or consume external docs.

### Shell Access

Enables terminal commands for the agent via the Bash tool. When enabled, the agent's shell is sandboxed to its own workdir — it cannot access the host filesystem outside that directory.

The following are **always denied**, regardless of the agent's instructions:

* Host secrets and credential files (`.env`, SSH keys, cloud credentials)
* System CLIs that can affect the host: `gh`, `aws`, `kubectl`, `gcloud`, `heroku`, `terraform`, `docker`, `helm`
* Global package installs (`npm install -g`, `pip install` outside a virtualenv, `brew install`, `apt`, `yum`)
* Destructive commands: `rm -rf /`, `dd`, `mkfs`, `shutdown`, and similar

The following are **allowed**:

* Source control: `git` (clone, pull, push, diff, log, etc.)
* Package managers scoped to the workdir: `npm install`, `pip install -r requirements.txt`, `go get`
* Build and test: `npm run`, `make`, `go test`, `go build`, `pytest`, `cargo test`
* Standard file inspection: `ls`, `cat`, `grep`, `find`, `jq`

Useful for agents that need to run git operations, execute tests, or build artifacts in a local codebase. Leave off for agents that only need to read data or call APIs via MCP.

## Always on

`Read` and `Write` are on for every agent and cannot be removed. They power loading the system prompt, skills, and wiki, and writing memory files.

## Changes are live

Save any tool change and the runner hot-reloads the agent within seconds. A snapshot is taken so you can roll back via the **History** tab.

## Next steps

<CardGroup cols={2}>
  <Card title="MCP Servers" icon="plug" href="/configuration/mcp-servers">
    Add servers to the platform catalog.
  </Card>

  <Card title="OAuth MCPs" icon="key" href="/configuration/mcp-oauth">
    Connect servers that require OAuth (Figma, Linear, etc.).
  </Card>
</CardGroup>
