get notified →
Preview

Better tools for your agents, one open-source toolbox

Like humans, your AI agents are limited by the quality of their tools. We're building an open toolbox that lets them do their best work.

Get notified of our public launch See how it works 
$ npm i @include-tools/toolbox
 toolbox installed

$ toolbox install github.com/include-tools/google
 Connected as [email protected] (personal)
 Connected as [email protected] (work)

Just one super tool.

After installing toolbox, your agent will have a new super tool for everything

A tool for everything

The super tool gives your agent access to every tool inside our tool registry. When your agent needs a capability it does not have, it can use discovery to find the right package, request it, and use it once approved.
Alternatively, if you need full control, you can use the toolset.json to pick exactly which tools your agent has and how it uses them.
.
It provides a better way for your agents to interact with outside systems and the world. It's more efficient, safer, and flexible than what they are doing today.
You can securely add your email — work and personal — calendar, social networks, news sites, and more. Adding a new tool is easy

Installing tools

When your agent needs a capability it does not have, it can use discovery to find the right tool package and ask you to install it. You can also install packages directly: for example, to add Google tools, run toolbox install github.com/include-tools/google inside the working directory of your agent.
Follow the prompts, and you will have working Google integration — Gmail, Calendar, Drive, Contacts. Authorized, installed, verified

Tool package installation & verification

Toolbox automatically downloads packages from GitHub or other Git repositories. Once downloaded

Automatic downloading

Packages are downloaded directly from GitHub Releases if they have been released as a versioned package file

Small versioned packages

Most packages contain a small amount of TypeScript code and compress into a few kilobytes that can be downloaded in seconds.
The packages themselves are just compressed files with an accompanying manifest which describes what tools are in the package and how to use them.
. If no versions have been released on GitHub, the package resolver will clone the repository and use the latest commit.
 and cached, packages are verified to ensure they have not been tampered with before being loaded.
Package versions are locked so that only you choose when to upgrade.
, and ready for your AI agent to use. No config file editing, no restart, no MCP sysadmin work.
 and it's ready for use in seconds.

Better tools let AI do better work.

With toolbox, your agent can combine code and tools together

Code mode combines code and tools

Real tasks are never one function call. "Find Alex's email about the demo, check my calendar for a free hour, reply with the top two slots" is four or five steps — and most agent setups make the model do each one as a separate round-trip through the LLM.
With include.tools, your agent writes a short script that does all of them in a single pass

One pass vs. many round-trips.

Traditional function calling: agent emits a call → host executes → result goes back into the context → agent decides the next step → emits the next call → host executes → … Each step is a full round-trip through the model.
With a code-execution environment: your agent writes the whole multi-step script at once and it runs in a single pass. The model only sees the final result.
For tasks with five or more steps, this is usually much faster and vastly cheaper. The difference compounds with complexity.
.
 — aka code mode. This saves a huge amount of time and token burn.
Example agent task

Email a personalized thank-you to every cloudflare/agents contributor (where code mode began).

11× faster
76× cheaper
// Using Toolbox
> Email a personalized thank-you to every cloudflare/agents contributor
thinking
0
super tool calls
0K (~$0.00)*
tokens used (1M context)
0s
task elapsed time
// Using MCP
> Email a personalized thank-you to every cloudflare/agents contributor
thinking
0
tool calls
0K (~$0.00)*
tokens used (1M context)
0s
task elapsed time
* Approx. Opus 4.7 API cost as of May 2026.
Keeping tool tokens out of the model context keeps the model focused on the difficult bits, not the plumbing

Why the plumbing should stay out of context

The more raw tool output, schemas, and intermediate state you put into the model context, the less room the model has for reasoning. Large contexts are not free: attention gets diluted, relevant details become harder to find, and models are more likely to miss the thing that matters.
Toolbox keeps repetitive tool work outside the model context so the model can spend its attention on judgment, planning, and deciding what to do next.
.

Painless access to multiple accounts.

Using more than one account is first-class in toolbox. Authorize a second account, and toolbox automatically adds a <provider>_account field to the Code Mode SDK, so your agent can choose the right account by name (e.g. Personal and Work). No messing around with multiple MCP servers.

cell 1 — overlap across both calendars 412 ms
const one_hour = 60 * 60 const nextWeek = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000) const openings = await Promise.all( ["work", "personal"].map(account => calendar.findOpenings({ google_account: account, duration: one_hour, after: nextWeek, })) ) // Reusable helpers like findCalendarOverlap can be saved in Skills, // so future code-mode calls are even shorter and more efficient. const shared_openings = findCalendarOverlap(openings, { workHours: { timezone: "America/Los_Angeles", days: ["mon", "tue", "wed", "thu", "fri"], start: "09:00", end: "17:00", }, }) // The agent can inspect a preview before writing the reply. inspect(shared_openings)
returned[ "Thu May 21, 10:00–11:00", "Fri May 22, 14:00–15:00" ]
cell 2 — send the reply from the work inbox 188 ms
await gmail.send({ google_account: "work", to: "[email protected]", subject: "Re: demo time", body: `I can do ${shared_openings[0]} or ${shared_openings[1]}.`, })
sent{ id: "1932af…", threadId: "1932ab…" }
An agent with Toolbox finds overlap across work and personal calendars, inspects the result, then sends from the right inbox.

The revision loop.

Along with the super tool, your agent gets a second new tool: wait.
It lets your agent choose to pause the conversation and wait until new tool approval or rejection responses arrive. It sounds dull. However, because rejections can contain feedback, this creates a fast and tight revision loop with your agent that you'll love.

User reviews emails to be sent in approval queues, but is unhappy with one.

The wait tool returns the feedback, so the LLM starts again automatically.

A new approval appears with the requested revision.

Approval queue
2 pending1 pending0 pending
Gmail Send email (personal)
RejectApprove
To

[email protected]

Subject

Happy birthday!

Body

Happy birthday — hope you have a wonderful day!

Gmail Send email (work)
RejectApprove
To

[email protected]

Subject

Re: demo time

Body

I can do Tuesday at 2pm or Wednesday at 11am.

Reject 1 approval?

Only offer the first time slot.
CancelSubmit decisions
Email to Jamie sent, email to Alex needs a change.
Now using super_tool to send updated email to Alex.
Gmail Send email (work)
RejectApprove
To

[email protected]

Subject

Re: demo time

Body

I can do Tuesday at 2pm.

Trust, layer by layer.

Your agent touches real data — real email, real calendar, real accounts. We designed the trust layer before the catalog, so every tool you install arrives with the same boundaries in place.

None of these are magic. Each one does one specific thing, and together they mean a compromised prompt can't quietly drain your inbox.

Multi-account credentials

Authorize multiple accounts of the same service with toolbox auth. Your agent addresses them by name in code — gmail.send({ google_account: "work", … }) — so work and personal never get mixed up at the call site.

No tool tampering

Every tool package ships with a manifest of SHA-256 hashes. Those hashes land in your *.toolset.lock on install, and Toolbox re-hashes the cached bytes on every tool load — not just install, every invocation — refusing to run on mismatch. The code you reviewed once is the code that runs every time, byte-for-byte.

Locked by default

Your credentials live in an age-encrypted store the Toolbox daemon opens once per daemon start. Unlock with a password or a single OS-level gesture; lock it again when you step away. While locked, no tool can reach your accounts — not your own, and not a compromised one. While unlocked, the daemon hands credentials to the transport layer per-tool — your agent and the notebook never see the raw secret.

Isolated runtime

Tools run in an isolated JavaScript runtime with no filesystem, process, or OS access by default. Credentials are attached at the network layer from an encrypted store outside the runtime — your tool code (and your agent) never sees the raw secret.

Deny-by-default network

Every tool declares the hosts it's allowed to reach. Calls outside that allowlist are blocked at the runtime layer. This is the boundary that makes isolation meaningful — a rogue fetch to an attacker-controlled domain simply doesn't go through.

Graceful recovery

Your agent's working state — variables it computed, files it fetched, intermediate results — lives in a durable workspace. If a tool call fails halfway through a task, the agent can keep the successful work, inspect the error, adjust its code, and retry from the point of failure instead of starting over.

Every tool package declares what it can do and what it touches.

Each tool exposes a typed TypeScript manifest. Multi-account is part of the call signature, not a side channel. Network and data-access rules are declared per-tool in the manifest and enforced at the runtime layer — not by hoping the agent behaves.

Packages are distributed on npm under @include-tools/* and installable via toolbox install github.com/include-tools/<name>. Lockfile-pinned, reproducible, check-into-git.

In use today (many more coming) · github.com/include-tools/google-workspace
gmail
Read, send, search, label across multiple accounts
google calendar
Events, free slots, attendees, multi-calendar
drive
Search, read, write across multiple accounts

toolset.json — like package.json, but for agents. (and better)

Every project has a package.json that declares its dependencies, pins versions, and makes the build reproducible. Your agent needs the same.

A toolset.json pins which packages your agent can use and at which exact version, and lists the specific tools it exposes — with a companion lockfile that verifies every install. Check it into your repo. Share it with your team. Reproduce environments. Scope per project. Updates only happen when you run the package manager — never silently behind your back.

The toolset.json also configures how your tools work.

Want to limit a tool to just posting on two slack channels, easy. Ask for approval when sending external emails, but free range internally? easy.

// package.json
{
  "name": "my-app",
  "dependencies": {
    "react":  "^18.2.0",
    "lodash": "^4.17.0",
    "zod":    "^3.22.0"
  }
}
// toolset.json
{
  "packages": {
    "github.com/include-tools/google-workspace": "1.2.0"
  }
}
Left: your project's dependencies. Right: your agent's.

The bytes you installed are the bytes that run — every time. Each tool package ships with a manifest that lists every tool's SHA-256 hash; Toolbox re-hashes the cached bytes on every tool load — not just at install — and refuses to run on mismatch. (Cryptographic signing is planned. Today's guarantee is reproducibility of bytes, not identity of authors.)

No framework switch required.

include.tools plugs into the agent runtime you already use. One install command — no framework rewrite, no config file archaeology.

claude-code
Claude Desktop
Cursor
Windsurf
Pi
OpenClaw

Works with OpenClaw via Pi-extension, direct integration coming. Works with any harness that can make MCP tool calls.

Runs on your machine. With your API key. We never see your data.

Toolbox is a local server that runs on your computer. Your API keys, OAuth credentials, your logs, and your sessions all stored locally. We don't host execution. We don't proxy your tool calls remotely. There is no middleman.

Here's the path every agent super-tool call takes.

When your agent harness launches, a toolbox session process starts (MCP / Pi-extension over stdio). The toolbox session provides the super-tool to your agent harness. When your agent makes a tool call, a persistent sandboxed TypeScript notebook executes it as a cell. Any tool calls invoked in that cell run in a separate sandbox. This ensures agents and tools can only communicate via serialized JS arguments, and lets us adjust the network and filesystem surface for each sandbox separately.

A separate toolbox server process holds your encrypted secrets, unlocking on start with a passphrase and surviving toolbox session process restarts. It attaches credentials at the transport layer, so neither the notebook nor any tool sandbox ever sees a credential. Every outbound tool request is checked against a per-tool deny-by-default host allowlist declared in the tool's manifest.

toolbox server process

toolbox session process

tool.call()

MCP / Pi · stdio

per-tool credentials

response

agent harness
your AI agent

super-tool · notebook
persistent, sandboxed TypeScript REPL

per-tool sandbox
one per tool call · net/FS surface tunable per tool

transport + per-tool allowlist
deny-by-default · declared hosts only

encrypted secrets
unlocked on start (passphrase) · survives session restarts

external service
Gmail · Calendar · …

// waitlist

Get notified when the preview opens.

We're letting developers in as we're ready. Leave your email — we'll reach out when the public launch is live.

We'll delete your email after sending one notification, promise.

About