Tools (MCP)
Beyond account connections, your agent can use tools — capabilities added through the Model Context Protocol (MCP). Connect them at Dashboard → Tools. Every tool runs under the same security model as first-party capabilities: credentials in the vault, calls through the egress proxy, and a risk tier on every tool.
The curated catalog
Catalog entries are pre-audited: known tool sets, known risk maps, declared network destinations, one-click connect.
| Tool | Category | What the agent uses it for |
|---|---|---|
| Wavetable | CRM | Query your ledger, create records, send email/SMS via sender identities |
| Apollo | Research | Find and enrich B2B contacts — emails, titles, socials |
| Hunter | Research | Find and verify email addresses |
| Firecrawl | Research | Scrape and crawl sites into clean text |
| Instantly | High-volume cold email with warmed inboxes | |
| Mailchimp | List-based broadcast campaigns (OAuth) | |
| Ayrshare | Social | Unified posting and DMs across social platforms |
| Dropbox Sign | Documents | Send quotes, proposals, and engagement letters for e-signature; chase until signed |
| Google Business Profile | Local | Read and respond to reviews, update hours, publish posts (OAuth) |
| QuickBooks Online | Money | AR aging, invoices, expense categorization drafts (OAuth) |
| Jobber | Field service | Clients, quotes, jobs, and scheduling for home-services businesses (OAuth) |
API-key tools ask for the key at connect time (it goes straight into the vault); OAuth tools use the provider’s own consent screen.
Wake triggers
A connected tool isn’t just something the agent can call — it’s something that can wake the agent. Catalog connectors declare their events: vendors that push webhooks (a signed document, a paid invoice) wake the agent the moment they fire, and push-less signals (new Google reviews) are polled on a schedule, waking the agent only when something actually changed. Event content is treated as untrusted and quarantined before it can influence any action.
Connecting your own MCP server
Any MCP server works — point the agent at its URL and pick the auth type (OAuth discovery per RFC 9728, API key, bearer, or none). On connect, Waveguide:
- Discovers the tools the server exposes (
tools/list). - Classifies each tool into a risk tier T0–T3 using a conservative heuristic — read/search verbs are T0, writes T1, send/post/publish T2, and anything touching money or deletion T3. Unknown verbs fail safe to T2. You can override a tier per tool.
- Scans every tool description for prompt-injection / tool-poisoning patterns (instruction overrides, hidden preconditions, exfiltration directives, credential references). A flagged tool is deactivated until you review it.
- Records a manifest hash so a server that quietly changes what its tools do is detected on the next sync — drift re-triggers review instead of silently granting new behavior.
Network manifests
Each tool connection declares the hosts it’s allowed to reach. The egress proxy enforces this default-deny: a tool that claims to be a CRM can’t suddenly call an unrelated host, because the proxy refuses the connection.
How tools appear to the agent
Connected tools mount as capabilities in the agent’s sandbox. Tier gating happens at call time in the proxy, same
as everything else: a T0 search runs freely, a T2 send_email needs your approval or a standing policy, and a T3
tool call always needs a human. Every call is in the audit trail.
Outreach lanes
Tools that send (email campaigns, social DMs, SMS) declare lane semantics — which channel they represent and how replies come back. That’s how a tool like Instantly plugs into missions with correct reply routing and suppression handling.