Your AI Agent Can Delete Every Container on Your Machine

A developer warns that AI coding assistants with access to Docker MCP servers can inadvertently delete all containers, images, and volumes on a machine. The ckreiling/mcp-server-docker exposes 19 tools, including destructive operations like remove_container and remove_volume, without built-in restrictions. To prevent such incidents, the developer introduces Intercept, a policy layer that blocks destructive calls and rate-limits creation tools.

Your AI coding assistant just wiped your local Docker environment. You asked it to "clean up that test container," and it decided to be thorough — removed every container, deleted the images they were built from, and destroyed the volumes holding your database state. Your PostgreSQL data, your Redis cache, your Elasticsearch index. Gone. No confirmation prompt, no undo. It was trying to help. The Docker MCP server https://github.com/ckreiling/mcp-server-docker gave it the tools to list, create, start, stop, and — critically — remove every Docker resource on your machine. The agent saw old containers, stale images, and orphaned volumes. It cleaned them all. As we explored in What Happens When Your AI Agent Goes Rogue https://policylayer.com/blog/ai-agent-goes-rogue , these aren't edge cases. They're the predictable consequence of giving agents destructive capabilities without constraints. The ckreiling/mcp-server-docker MCP server exposes 19 tools. The read operations are harmless — list containers , list images , list volumes , fetch container logs . Fine. Let agents inspect your environment all day. The problem is the other half: remove container remove image remove network remove volume Then there are the creation and execution tools — create container , run container , build image , pull image . Not destructive individually, but a runaway loop pulling hundreds of images or spawning containers will exhaust your disk and CPU in minutes. MCP provides no built-in mechanism to restrict any of this. Intercept https://github.com/policylayer/intercept sits between your agent and the Docker MCP server. Every tools/call is evaluated against a YAML policy before it reaches Docker. Violating calls are blocked and the agent receives a clear denial message — no silent failures. First, block all destructive operations outright: version: "1" description: "Policy for ckreiling/mcp-server-docker" default: "allow" tools: remove container: rules: - name: "block container removal" action: deny on deny: "Removing containers is not permitted. Stop the container instead." remove image: rules: - name: "block image removal" action: deny on deny: "Removing images is not permitted." remove network: rules: - name: "block network removal" action: deny on deny: "Removing networks is not permitted." remove volume: rules: - name: "block volume removal" action: deny on deny: "Removing volumes is not permitted. Volume data could be lost." Four action: deny rules. Unconditional. The agent can still stop containers — it just cannot delete anything. When it tries, it gets the on deny message as the tool response, telling it what to do instead. Next, rate limit the creation tools to prevent runaway loops: create container: rules: - name: "rate limit container creation" rate limit: "10/hour" on deny: "Container creation rate limit exceeded 10/hour . Wait before creating more containers." run container: rules: - name: "rate limit container run" rate limit: "10/hour" on deny: "Container run rate limit exceeded 10/hour . Wait before running more containers." build image: rules: - name: "rate limit image build" rate limit: "10/hour" on deny: "Image build rate limit exceeded 10/hour . Wait before building more images." pull image: rules: - name: "rate limit image pull" rate limit: "10/hour" on deny: "Image pull rate limit exceeded 10/hour . Wait before pulling more images." Ten per hour on each creation tool. Enough for legitimate development workflows. Not enough to fill your disk. A global rate limit catches everything else: " ": rules: - name: "global rate limit" rate limit: "60/minute" on deny: "Global rate limit exceeded 60 calls/minute . Slow down." The default: "allow" posture lets read tools pass through unrestricted. If you want tighter control, switch to default: "deny" and explicitly allowlist each tool. Install Intercept and point it at the Docker MCP server: npm install -g @policylayer/intercept Then run it with the Docker policy: intercept -c docker.yaml -- npx -y @ckreiling/mcp-server-docker Every tool call now passes through the policy engine. Container removal gets blocked. Image pull number 11 in an hour gets blocked. Your volumes survive the agent's enthusiasm for tidying up.