Your AI Agent Has Push Access to Every Repo

The official GitHub MCP server exposes 83 tools, including destructive operations like file deletion and repository creation, without any permission model. PolicyLayer's Intercept proxy enforces deterministic YAML policies to block or rate-limit dangerous tool calls, preventing AI agents from causing damage. The tool allows developers to set rules such as blocking file deletion outright or capping write operations to 30 per hour.

Your coding agent just merged a pull request to main, deleted three files it thought were unused, and created a new repository called temp-debug-workspace . You didn't ask it to do any of that. But you gave it access to the GitHub MCP server, and the GitHub MCP server said yes to everything. The official GitHub MCP server https://github.com/github/github-mcp-server registers 83 tools . Most people set it up for reading code and managing issues. What they don't realise is they've also handed their agent the keys to: delete file merge pull request push files create repository fork repository create or update file actions run trigger There's no permission model inside MCP. The protocol forwards every tools/call from agent to server without restriction. If the GitHub token has write access, the agent has write access. And if the agent hallucinates a plan that involves tidying up old files or "fixing" a broken workflow, nothing stands in its way. This is the same class of problem we covered in what happens when an AI agent goes rogue https://policylayer.com/blog/ai-agent-goes-rogue — except here the blast radius is your entire GitHub organisation. Intercept https://github.com/policyLayer/intercept sits between your agent and the GitHub MCP server as a proxy. Every tool call passes through a YAML policy before reaching GitHub. The policy is deterministic — no LLM judgment, no prompt-based guardrails, just hard rules evaluated at the transport layer. Here's the destructive tool policy from our GitHub starter config. File deletion is blocked outright: version: "1" description: "Policy for github/github-mcp-server" default: "allow" tools: Block file deletion entirely delete file: rules: - name: "block-delete" action: deny on deny: "File deletion blocked by policy" When the agent tries to call delete file , it receives the on deny message instead. The request never reaches GitHub. For write operations you want to permit but not leave unchecked, rate limits keep things sane: tools: Cap write operations create or update file: rules: - name: "rate-limit-writes" rate limit: "30/hour" on deny: "Rate limit: max 30 write operations per hour" push files: rules: - name: "rate-limit-writes" rate limit: "30/hour" on deny: "Rate limit: max 30 write operations per hour" Tighter limit on repo creation create repository: rules: - name: "rate-limit-repo-creation" rate limit: "5/hour" on deny: "Rate limit: max 5 repository creations per hour" Comments can loop fast — cap them add issue comment: rules: - name: "rate-limit-comments" rate limit: "20/hour" on deny: "Rate limit: max 20 comments per hour" Workflow triggers are expensive actions run trigger: rules: - name: "rate-limit-workflows" rate limit: "10/hour" on deny: "Rate limit: max 10 workflow triggers per hour" Rate limits use stateful counters https://policylayer.com/blog/rate-limiting-mcp-tool-calls that reset at the top of each window hour, minute, or day . If the agent burns through 30 file writes in a loop, it's cut off until the next hour — and it knows why, because the denial message tells it. Finally, a global backstop catches anything you haven't explicitly configured: tools: " ": rules: - name: "global-rate-limit" rate limit: "120/minute" on deny: "Global rate limit: max 120 calls per minute" This caps the agent at 120 total tool calls per minute across all 83 tools. Even if you forget to add a rule for a specific tool, the wildcard catches runaway loops before they cause real damage. Install Intercept and point it at the GitHub MCP server: Install npm install -g @policylayer/intercept Run with the GitHub policy intercept -c github.yaml -- npx -y @modelcontextprotocol/server-github Every tool call now passes through the policy. Denied calls return the on deny message to the agent. Allowed calls forward to GitHub as normal. The agent doesn't know Intercept is there — it just sees an MCP server that sometimes says no. You can start with our pre-built GitHub policy and adjust from there. Block what's dangerous, rate limit what's useful, and leave read-only tools open.