Your AI coding assistant just wiped your local Docker environment. You asked it to "clean up that test container," and it decided to be thorough — removed every container, deleted the images they were built from, and destroyed the volumes holding your database state. Your PostgreSQL data, your Redis cache, your Elasticsearch index. Gone. No confirmation prompt, no undo.

It was trying to help. The Docker MCP server gave it the tools to list, create, start, stop, and — critically — remove every Docker resource on your machine. The agent saw old containers, stale images, and orphaned volumes. It cleaned them all. As we explored in What Happens When Your AI Agent Goes Rogue, these aren't edge cases. They're the predictable consequence of giving agents destructive capabilities without constraints.

What the Docker MCP server exposes

The ckreiling/mcp-server-docker MCP server exposes 19 tools. The read operations are harmless — list_containers, list_images, list_volumes, fetch_container_logs. Fine. Let agents inspect your environment all day.

The problem is the other half: