IT

How do MCP tools work inside workflow agents?

MCP tools are exposed to workflow agents through skills—IT controls which tools are visible, which require confirmation before executing, and which may be used by sub-agents.

When HR or IT builds a configurable agent step in a workflow, it assigns skills to that step. MCP-backed skills work in exactly the same model as chat skills—but the workflow context adds important nuances around sub-agents and confirmation gates.

How MCP tools reach the agent

  1. IT registers an MCP connector in Company settings → Integrations via New connector (server URL, auth mode, credentials—see How to create an MCP connector (Company settings)).
  2. IT attaches the integration to a skill and assigns that skill to the relevant channels or workflow steps.
  3. When a workflow agent step is configured, the builder selects which skills (and therefore which MCP tools) the agent may use.
  4. At runtime, the agent loads the skill on demand and calls MCP tools as needed.

Tool-level permissions for workflows

For each MCP tool, IT can configure:

  • Requires confirmation: the workflow pauses for a human Approve / Reject before executing the tool. Use this for irreversible or sensitive operations—writing to production systems, sending external email, or modifying records.
  • Allowed in sub-agent: whether the tool is exposed when a main agent delegates a task to a sub-agent. Tools that require confirmation should not be enabled for sub-agents, since sub-agents cannot trigger approval flows.

Example

Your IT team registers an MCP integration to an internal ticketing system. The skill has three tools:

  • search_issues — no confirmation required, allowed in sub-agent.
  • get_issue — no confirmation required, allowed in sub-agent.
  • update_issue — confirmation required, not allowed in sub-agent.

A workflow agent can now search and read issues autonomously. Any update pauses the workflow for a human click. Sub-agents can read but never write.

Skills assigned to workflow steps

  • Skills must be explicitly selected on the agent step—a skill enabled for chat is not automatically available in workflows.
  • Use delegatable skills (a separate field on the agent step) to control which skills sub-agents may access. This list is usually a strict subset of the main agent's skills.

Guardrails

  • Sub-agents cannot trigger confirmation flows. If a workflow step needs a confirmation-gated tool, it must run on the main agent, not be delegated.
  • MCP credentials are encrypted at rest. Scope credentials to the minimum permissions the integration needs—read-only credentials for read-only skills.
  • Sandboxed MCP servers (running in isolated containers) are available for untrusted or third-party MCP servers. Contact your Harriet account team if you need this mode.
  • Review MCP tool assignments whenever a workflow's purpose changes or a team reorganization affects ownership of the integration.

For Endpoint AI review of connectors before rollout, see What rollout checks should we complete before turning on new integrations or skills? and Using Skilify to build skills locally, submit for review, and provision them when workflow skills come from submitted packages.

Use Harriet in your organisation for searchable help, AI assistance, and your company knowledge base.

Log in to Harriet