From d3a9f386ccd5eb6fd0b35d55fa595dc6a322f75c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 11 Mar 2026 22:30:07 +0000
Subject: [PATCH 1/2] Initial plan


From d130d3f1c602487b72f52ce790bbc9884d621221 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 11 Mar 2026 22:35:14 +0000
Subject: [PATCH 2/2] docs: add prominent READ-ONLY caution to mcp-scripts
 documentation

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 docs/src/content/docs/reference/mcp-scripts.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/docs/src/content/docs/reference/mcp-scripts.md b/docs/src/content/docs/reference/mcp-scripts.md
index 06696f49c52..93359c3c7cf 100644
--- a/docs/src/content/docs/reference/mcp-scripts.md
+++ b/docs/src/content/docs/reference/mcp-scripts.md
@@ -7,6 +7,16 @@ sidebar:
 
 The [`mcp-scripts:`](/gh-aw/reference/glossary/#mcp-scripts) element allows you to define custom [MCP](/gh-aw/reference/glossary/#mcp-model-context-protocol) (Model Context Protocol) tools directly in your workflow [frontmatter](/gh-aw/reference/glossary/#frontmatter) using JavaScript, shell scripts, or Python. These tools are generated at runtime and run as an HTTP MCP server **on the GitHub Actions runner, outside the agent container**. The agent reaches the server via `host.docker.internal`, keeping tool execution isolated from the AI sandbox while still providing controlled secret access.
 
+> [!CAUTION]
+> **MCP Scripts run outside the agent sandbox and must only implement READ-ONLY operations.**
+>
+> Because MCP Scripts execute directly on the GitHub Actions runner host — not inside the isolated agent container — they can access the runner's file system, network, and environment without the safety constraints of the sandbox. Implementing **write operations** (creating files, pushing commits, calling mutating APIs, etc.) in MCP Scripts bypasses the audit trail and approval gates that protect your repository.
+>
+> - ✅ **Use MCP Scripts for**: reading data, querying APIs, fetching information, performing calculations.
+> - ❌ **Do not use MCP Scripts for**: writing files, creating issues/PRs, modifying repository content, or any other mutating action.
+>
+> For write operations, use [Safe Output Jobs](/gh-aw/reference/safe-outputs/) or [Custom Safe Output Jobs](/gh-aw/reference/custom-safe-outputs/) instead. These run in a controlled, auditable step that is separate from the AI agent's execution.
+
 ## Quick Start
 
 ```yaml wrap
@@ -336,6 +346,9 @@ Analyze provided text using the `analyze-text` tool and create a discussion with
 
 MCP Scripts tools run on the GitHub Actions **runner host** — outside the agent container — so they can access the runner's file system and environment but are isolated from the AI's own execution environment. Tools also provide secret isolation (only specified env vars are forwarded), process isolation (separate execution), and output sanitization (large outputs saved to files). Only predefined tools are available to agents.
 
+> [!CAUTION]
+> Because MCP Scripts execute outside the sandbox, **only implement READ-ONLY tools**. Write operations (file writes, API mutations, repository changes) must be handled through [Safe Output Jobs](/gh-aw/reference/safe-outputs/) or [Custom Safe Output Jobs](/gh-aw/reference/custom-safe-outputs/), which provide proper audit trails and approval gates.
+
 ## Comparison with Other Options
 
 | Feature | MCP Scripts | Custom MCP Servers | Bash Tool |