{"slug": "your-ai-agent-has-push-access-to-every-repo", "title": "Your AI Agent Has Push Access to Every Repo", "summary": "The official GitHub MCP server exposes 83 tools, including destructive operations like file deletion and repository creation, without any permission model. PolicyLayer's Intercept proxy enforces deterministic YAML policies to block or rate-limit dangerous tool calls, preventing AI agents from causing damage. The tool allows developers to set rules such as blocking file deletion outright or capping write operations to 30 per hour.", "body_md": "Your coding agent just merged a pull request to main, deleted three files it thought were unused, and created a new repository called `temp-debug-workspace`\n\n. You didn't ask it to do any of that. But you gave it access to the GitHub MCP server, and the GitHub MCP server said yes to everything.\n\nThe [official GitHub MCP server](https://github.com/github/github-mcp-server) registers **83 tools**. Most people set it up for reading code and managing issues. What they don't realise is they've also handed their agent the keys to:\n\n`delete_file`\n\n`merge_pull_request`\n\n`push_files`\n\n`create_repository`\n\n`fork_repository`\n\n`create_or_update_file`\n\n`actions_run_trigger`\n\nThere's no permission model inside MCP. The protocol forwards every `tools/call`\n\nfrom agent to server without restriction. If the GitHub token has write access, the agent has write access. And if the agent hallucinates a plan that involves tidying up old files or \"fixing\" a broken workflow, nothing stands in its way.\n\nThis is the same class of problem we covered in [what happens when an AI agent goes rogue](https://policylayer.com/blog/ai-agent-goes-rogue) — except here the blast radius is your entire GitHub organisation.\n\n[Intercept](https://github.com/policyLayer/intercept) sits between your agent and the GitHub MCP server as a proxy. Every tool call passes through a YAML policy before reaching GitHub. The policy is deterministic — no LLM judgment, no prompt-based guardrails, just hard rules evaluated at the transport layer.\n\nHere's the destructive tool policy from our GitHub starter config. File deletion is blocked outright:\n\n```\nversion: \"1\"\ndescription: \"Policy for github/github-mcp-server\"\ndefault: \"allow\"\n\ntools:\n  # Block file deletion entirely\n  delete_file:\n    rules:\n      - name: \"block-delete\"\n        action: deny\n        on_deny: \"File deletion blocked by policy\"\n```\n\nWhen the agent tries to call `delete_file`\n\n, it receives the `on_deny`\n\nmessage instead. The request never reaches GitHub.\n\nFor write operations you want to permit but not leave unchecked, rate limits keep things sane:\n\n```\ntools:\n  # Cap write operations\n  create_or_update_file:\n    rules:\n      - name: \"rate-limit-writes\"\n        rate_limit: \"30/hour\"\n        on_deny: \"Rate limit: max 30 write operations per hour\"\n\n  push_files:\n    rules:\n      - name: \"rate-limit-writes\"\n        rate_limit: \"30/hour\"\n        on_deny: \"Rate limit: max 30 write operations per hour\"\n\n  # Tighter limit on repo creation\n  create_repository:\n    rules:\n      - name: \"rate-limit-repo-creation\"\n        rate_limit: \"5/hour\"\n        on_deny: \"Rate limit: max 5 repository creations per hour\"\n\n  # Comments can loop fast — cap them\n  add_issue_comment:\n    rules:\n      - name: \"rate-limit-comments\"\n        rate_limit: \"20/hour\"\n        on_deny: \"Rate limit: max 20 comments per hour\"\n\n  # Workflow triggers are expensive\n  actions_run_trigger:\n    rules:\n      - name: \"rate-limit-workflows\"\n        rate_limit: \"10/hour\"\n        on_deny: \"Rate limit: max 10 workflow triggers per hour\"\n```\n\nRate limits use [stateful counters](https://policylayer.com/blog/rate-limiting-mcp-tool-calls) that reset at the top of each window (hour, minute, or day). If the agent burns through 30 file writes in a loop, it's cut off until the next hour — and it knows why, because the denial message tells it.\n\nFinally, a global backstop catches anything you haven't explicitly configured:\n\n```\ntools:\n  \"*\":\n    rules:\n      - name: \"global-rate-limit\"\n        rate_limit: \"120/minute\"\n        on_deny: \"Global rate limit: max 120 calls per minute\"\n```\n\nThis caps the agent at 120 total tool calls per minute across all 83 tools. Even if you forget to add a rule for a specific tool, the wildcard catches runaway loops before they cause real damage.\n\nInstall Intercept and point it at the GitHub MCP server:\n\n```\n# Install\nnpm install -g @policylayer/intercept\n\n# Run with the GitHub policy\nintercept -c github.yaml -- npx -y @modelcontextprotocol/server-github\n```\n\nEvery tool call now passes through the policy. Denied calls return the `on_deny`\n\nmessage to the agent. Allowed calls forward to GitHub as normal. The agent doesn't know Intercept is there — it just sees an MCP server that sometimes says no.\n\nYou can start with our pre-built GitHub policy and adjust from there. Block what's dangerous, rate limit what's useful, and leave read-only tools open.", "url": "https://wpnews.pro/news/your-ai-agent-has-push-access-to-every-repo", "canonical_source": "https://dev.to/policylayer/your-ai-agent-has-push-access-to-every-repo-1he7", "published_at": "2026-06-16 13:20:40+00:00", "updated_at": "2026-06-16 13:48:10.814516+00:00", "lang": "en", "topics": ["ai-agents", "developer-tools", "ai-safety", "ai-infrastructure"], "entities": ["GitHub", "PolicyLayer", "Intercept", "GitHub MCP server"], "alternates": {"html": "https://wpnews.pro/news/your-ai-agent-has-push-access-to-every-repo", "markdown": "https://wpnews.pro/news/your-ai-agent-has-push-access-to-every-repo.md", "text": "https://wpnews.pro/news/your-ai-agent-has-push-access-to-every-repo.txt", "jsonld": "https://wpnews.pro/news/your-ai-agent-has-push-access-to-every-repo.jsonld"}}