Use the LWC Security MCP Tools (Beta)

The guide_lwc_security tool analyzes components based on product security and Lightning Web Security Guidelines, helping you identify vulnerabilities and recommend fixes.

MCP Tools for LWC is a pilot or beta service that is subject to the Beta Services Terms at Agreements - Salesforce.com or a written Unified Pilot Agreement if executed by Customer, and applicable terms in the Product Terms Directory. Use of this pilot or beta service is at the Customer's sole discretion.

Here are some possible prompts that invoke the security tool.

Ask about how to align your code with LWC security best practices.

Analyze this component to flag XSS/DOM injection risks for lwc="manual" and innerHTML. Suggest fixes for this component.
Generate a secure LWC and Apex checklist for create, read, update, delete operations. Consider field-level security, WITH SHARING, SOQL injection prevention, and input validation.
Audit the third‑party libraries under Lightning Web Security and CSP, and recommend safe integration patterns.

The tool identifies anti-patterns in the LWC code based on Lightning Web Security best practices, returning an assessment with recommendations for next steps.

When working with these tools using Agentforce Vibes Extension, you must enable the a4d-general-rules-no-edit.md and a4d-lwc-rules-no-edit.md global rules. The a4d-general-rules-no-edit.md rule is enabled by default. For more information on configuring rules in Agentforce Vibes, see Agentforce Rules in the Agentforce Vibes Extension Developer Guide.

See Also