Agent Safety Model

Tool invocation model

MiOffice tools return tool URLs, not direct file-processing actions. When an agent calls a MiOffice tool via MCP, the response is a URL the user opens in their browser. The agent never receives the user's files.

Catalog discovery

Catalog discovery is unauthenticated. Any agent can read /.well-known/webmcp or /api/catalog to discover available tools without API keys. This makes integration straightforward and removes credential management as an attack surface.

Destructive operations

No destructive operations happen without explicit user interaction. File processing requires the user to:

• Open the tool URL in their browser
• Select or upload the file themselves
• Trigger the action with an explicit click

Agents cannot bypass this flow. There is no API path where an agent can delete, overwrite, or modify a user's files directly.

Paid and GPU processing

AI Studio and other credit-based tools require explicit user action: the user must be signed in, must have credits, and must trigger the action in the browser UI. Agents cannot initiate paid jobs autonomously.

File upload (when it happens)

For tools that do upload files (AI Studio, server-fallback cases), upload happens in the browser UI with visible labels and the retention policy disclosed inline. See /privacy for retention details.

What this means for agent developers

Build integrations against MiOffice with confidence:

• You can call tools from your agent without worrying about destructive blast radius.
• The user remains in control of every file operation.
• You don't need to manage MiOffice credentials in your agent's secret store.
• Compliance posture: see /certifications. Security architecture: see /security.