Waveguide
Docs navigation

Tools (MCP)

Beyond account connections, your agent can use tools — capabilities added through the Model Context Protocol (MCP). Connect them at Dashboard → Tools. Every tool runs under the same security model as first-party capabilities: credentials in the vault, calls through the egress proxy, and a risk tier on every tool.

The curated catalog

Catalog entries are pre-audited: known tool sets, known risk maps, declared network destinations, one-click connect.

ToolCategoryWhat the agent uses it for
WavetableCRMQuery your ledger, create records, send email/SMS via sender identities
ApolloResearchFind and enrich B2B contacts — emails, titles, socials
HunterResearchFind and verify email addresses
FirecrawlResearchScrape and crawl sites into clean text
InstantlyEmailHigh-volume cold email with warmed inboxes
MailchimpEmailList-based broadcast campaigns (OAuth)
AyrshareSocialUnified posting and DMs across social platforms
Dropbox SignDocumentsSend quotes, proposals, and engagement letters for e-signature; chase until signed
Google Business ProfileLocalRead and respond to reviews, update hours, publish posts (OAuth)
QuickBooks OnlineMoneyAR aging, invoices, expense categorization drafts (OAuth)
JobberField serviceClients, quotes, jobs, and scheduling for home-services businesses (OAuth)

API-key tools ask for the key at connect time (it goes straight into the vault); OAuth tools use the provider’s own consent screen.

Wake triggers

A connected tool isn’t just something the agent can call — it’s something that can wake the agent. Catalog connectors declare their events: vendors that push webhooks (a signed document, a paid invoice) wake the agent the moment they fire, and push-less signals (new Google reviews) are polled on a schedule, waking the agent only when something actually changed. Event content is treated as untrusted and quarantined before it can influence any action.

Connecting your own MCP server

Any MCP server works — point the agent at its URL and pick the auth type (OAuth discovery per RFC 9728, API key, bearer, or none). On connect, Waveguide:

  1. Discovers the tools the server exposes (tools/list).
  2. Classifies each tool into a risk tier T0–T3 using a conservative heuristic — read/search verbs are T0, writes T1, send/post/publish T2, and anything touching money or deletion T3. Unknown verbs fail safe to T2. You can override a tier per tool.
  3. Scans every tool description for prompt-injection / tool-poisoning patterns (instruction overrides, hidden preconditions, exfiltration directives, credential references). A flagged tool is deactivated until you review it.
  4. Records a manifest hash so a server that quietly changes what its tools do is detected on the next sync — drift re-triggers review instead of silently granting new behavior.

Network manifests

Each tool connection declares the hosts it’s allowed to reach. The egress proxy enforces this default-deny: a tool that claims to be a CRM can’t suddenly call an unrelated host, because the proxy refuses the connection.

How tools appear to the agent

Connected tools mount as capabilities in the agent’s sandbox. Tier gating happens at call time in the proxy, same as everything else: a T0 search runs freely, a T2 send_email needs your approval or a standing policy, and a T3 tool call always needs a human. Every call is in the audit trail.

Outreach lanes

Tools that send (email campaigns, social DMs, SMS) declare lane semantics — which channel they represent and how replies come back. That’s how a tool like Instantly plugs into missions with correct reply routing and suppression handling.