{"slug": "your-ai-agent-can-delete-every-container-on-your-machine", "title": "Your AI Agent Can Delete Every Container on Your Machine", "summary": "A developer warns that AI coding assistants with access to Docker MCP servers can inadvertently delete all containers, images, and volumes on a machine. The ckreiling/mcp-server-docker exposes 19 tools, including destructive operations like remove_container and remove_volume, without built-in restrictions. To prevent such incidents, the developer introduces Intercept, a policy layer that blocks destructive calls and rate-limits creation tools.", "body_md": "Your AI coding assistant just wiped your local Docker environment. You asked it to \"clean up that test container,\" and it decided to be thorough — removed every container, deleted the images they were built from, and destroyed the volumes holding your database state. Your PostgreSQL data, your Redis cache, your Elasticsearch index. Gone. No confirmation prompt, no undo.\n\nIt was trying to help. The [Docker MCP server](https://github.com/ckreiling/mcp-server-docker) gave it the tools to list, create, start, stop, and — critically — remove every Docker resource on your machine. The agent saw old containers, stale images, and orphaned volumes. It cleaned them all. As we explored in [What Happens When Your AI Agent Goes Rogue](https://policylayer.com/blog/ai-agent-goes-rogue), these aren't edge cases. They're the predictable consequence of giving agents destructive capabilities without constraints.\n\nThe `ckreiling/mcp-server-docker`\n\nMCP server exposes 19 tools. The read operations are harmless — `list_containers`\n\n, `list_images`\n\n, `list_volumes`\n\n, `fetch_container_logs`\n\n. Fine. Let agents inspect your environment all day.\n\nThe problem is the other half:\n\n`remove_container`\n\n`remove_image`\n\n`remove_network`\n\n`remove_volume`\n\nThen there are the creation and execution tools — `create_container`\n\n, `run_container`\n\n, `build_image`\n\n, `pull_image`\n\n. Not destructive individually, but a runaway loop pulling hundreds of images or spawning containers will exhaust your disk and CPU in minutes.\n\nMCP provides no built-in mechanism to restrict any of this.\n\n[Intercept](https://github.com/policylayer/intercept) sits between your agent and the Docker MCP server. Every `tools/call`\n\nis evaluated against a YAML policy before it reaches Docker. Violating calls are blocked and the agent receives a clear denial message — no silent failures.\n\nFirst, block all destructive operations outright:\n\n```\nversion: \"1\"\ndescription: \"Policy for ckreiling/mcp-server-docker\"\ndefault: \"allow\"\ntools:\n remove_container:\n rules:\n - name: \"block container removal\"\n action: deny\n on_deny: \"Removing containers is not permitted. Stop the container instead.\"\n remove_image:\n rules:\n - name: \"block image removal\"\n action: deny\n on_deny: \"Removing images is not permitted.\"\n remove_network:\n rules:\n - name: \"block network removal\"\n action: deny\n on_deny: \"Removing networks is not permitted.\"\n remove_volume:\n rules:\n - name: \"block volume removal\"\n action: deny\n on_deny: \"Removing volumes is not permitted. Volume data could be lost.\"\n```\n\nFour `action: deny`\n\nrules. Unconditional. The agent can still stop containers — it just cannot delete anything. When it tries, it gets the `on_deny`\n\nmessage as the tool response, telling it what to do instead.\n\nNext, rate limit the creation tools to prevent runaway loops:\n\n```\n create_container:\n rules:\n - name: \"rate limit container creation\"\n rate_limit: \"10/hour\"\n on_deny: \"Container creation rate limit exceeded (10/hour). Wait before creating more containers.\"\n run_container:\n rules:\n - name: \"rate limit container run\"\n rate_limit: \"10/hour\"\n on_deny: \"Container run rate limit exceeded (10/hour). Wait before running more containers.\"\n build_image:\n rules:\n - name: \"rate limit image build\"\n rate_limit: \"10/hour\"\n on_deny: \"Image build rate limit exceeded (10/hour). Wait before building more images.\"\n pull_image:\n rules:\n - name: \"rate limit image pull\"\n rate_limit: \"10/hour\"\n on_deny: \"Image pull rate limit exceeded (10/hour). Wait before pulling more images.\"\n```\n\nTen per hour on each creation tool. Enough for legitimate development workflows. Not enough to fill your disk.\n\nA global rate limit catches everything else:\n\n```\n \"*\":\n rules:\n - name: \"global rate limit\"\n rate_limit: \"60/minute\"\n on_deny: \"Global rate limit exceeded (60 calls/minute). Slow down.\"\n```\n\nThe `default: \"allow\"`\n\nposture lets read tools pass through unrestricted. If you want tighter control, switch to `default: \"deny\"`\n\nand explicitly allowlist each tool.\n\nInstall Intercept and point it at the Docker MCP server:\n\n```\nnpm install -g @policylayer/intercept\n```\n\nThen run it with the Docker policy:\n\n```\nintercept -c docker.yaml -- npx -y @ckreiling/mcp-server-docker\n```\n\nEvery tool call now passes through the policy engine. Container removal gets blocked. Image pull number 11 in an hour gets blocked. Your volumes survive the agent's enthusiasm for tidying up.", "url": "https://wpnews.pro/news/your-ai-agent-can-delete-every-container-on-your-machine", "canonical_source": "https://dev.to/policylayer/your-ai-agent-can-delete-every-container-on-your-machine-i9i", "published_at": "2026-06-16 13:19:37+00:00", "updated_at": "2026-06-16 13:48:22.917602+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "developer-tools"], "entities": ["Docker", "MCP", "Intercept", "ckreiling/mcp-server-docker", "PolicyLayer"], "alternates": {"html": "https://wpnews.pro/news/your-ai-agent-can-delete-every-container-on-your-machine", "markdown": "https://wpnews.pro/news/your-ai-agent-can-delete-every-container-on-your-machine.md", "text": "https://wpnews.pro/news/your-ai-agent-can-delete-every-container-on-your-machine.txt", "jsonld": "https://wpnews.pro/news/your-ai-agent-can-delete-every-container-on-your-machine.jsonld"}}