// SCAN REPORT

GitHub

256 tools. 77 can modify or destroy data without limits.

6 destructive tools with no built-in limits. Policy required.

Last updated:

77 can modify or destroy data
179 read-only
256 tools total

77 GitHub tools can modify or destroy data, with no limits today. PolicyLayer puts allow, deny, and rate-limit rules on every call. Live in minutes.

SECURE GITHUB →

Free to start. No card required.

TOOL MAP

Read (179) Write / Execute (71) Destructive / Financial (6)

WHAT CAN GO WRONG

Destructive tools (action, delete_file, force) permanently delete resources. There is no undo. An agent calling these in a retry loop causes irreversible damage.

Write operations (add_comment_to_pending_review, add_issue_comment, add_reply_to_pull_request_comment) modify state. Without rate limits, an agent can make hundreds of changes in seconds — faster than any human can review or revert.

Execute tools (actions_run_trigger, base_ref, dry_run) trigger processes with side effects. Builds, notifications, workflows — all fired without throttling.

RECOMMENDED RULES

Deny destructive operations
{
  "action": {
    "deny_if": [
      {
        "conditions": [],
        "on_deny": "Blocked by default. Requires approval."
      }
    ]
  }
}

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations
{
  "add_comment_to_pending_review": {
    "limits": [
      {
        "counter": "add_comment_to_pending_review_per_hour",
        "window": "hour",
        "max": 30,
        "scope": "grant"
      }
    ]
  }
}

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
{
  "Accepted OAuth Scopes": {
    "limits": [
      {
        "counter": "accepted oauth scopes_per_minute",
        "window": "minute",
        "max": 60,
        "scope": "grant"
      }
    ]
  }
}

Controls API costs and prevents retry loops from exhausting upstream rate limits.

Get this policy live on your own GitHub server in minutes. Tune the limits to your setup; PolicyLayer enforces it on every call.

ENFORCE ON MY GITHUB →

ALL 256 GITHUB TOOLS

DESTRUCTIVE 6 tools
Destructive action Destructive delete_file Destructive force Destructive git_reset Destructive git_worktree_remove Destructive updated_field
EXECUTE 10 tools
Execute actions_run_trigger Execute base_ref Execute dry_run Execute failed_only Execute new_branch Execute new_name Execute run_id Execute start_date Execute startLine Execute startSide
WRITE 61 tools
Write add_comment_to_pending_review Write add_issue_comment Write add_reply_to_pull_request_comment Write assign_copilot_to_issue Write assignees Write color Write comment_id Write commentId Write commit_message Write commit_title Write commitID Write create_branch Write create_gist Write create_or_update_file Write create_pull_request Write create_repository Write detach Write filename Write gist_id Write git_add Write git_apply_patch_file Write git_apply_patch_string Write git_checkout Write git_commit Write git_create_branch Write git_push Write git_worktree_add Write git_worktree_lock Write git_worktree_unlock Write issue_comment_write Write issue_number Write issue_read Write issue_write Write item_type Write label_write Write maintainer_can_modify Write manage_notification_subscription Write manage_repository_notification_subscription Write mark_all_notifications_read Write merge_method Write merge_pull_request Write method Write modified Write owner_type Write patch_file Write patch_string Write projects_write Write pull_request_comment_write Write pull_request_review_write Write push_files Write replace_parent Write secret_type Write sub_issue_id Write sub_issue_write Write subjectType Write target_date Write type Write update_gist Write update_pull_request Write update_pull_request_branch Write updated
READ 179 tools
Read Accepted OAuth Scopes Read actions_get Read actions_list Read affects Read after Read after_id Read alertNumber Read author Read autoInit Read base Read base_branch Read before Read before_id Read body Read branch Read branch_name Read category Read commitish Read content Read custom_instructions Read cveId Read cwes Read description Read direction Read discussionNumber Read dismiss_notification Read draft Read duplicate_of Read ecosystem Read event Read expectedHeadSha Read field_id Read fields Read files Read filter Read fork_repository Read from_branch Read get Read get_code_scanning_alert Read get_comments Read get_commit Read get_dependabot_alert Read get_diff Read get_discussion Read get_discussion_comments Read get_file_contents Read get_files Read get_gist Read get_global_security_advisory Read get_job_logs Read get_label Read get_labels Read get_latest_release Read get_me Read get_notification_details Read get_release_by_tag Read get_repository_tree Read get_review_comments Read get_reviews Read get_secret_scanning_alert Read get_status Read get_sub_issues Read get_tag Read get_team_members Read get_teams Read ghsaId Read git_diff Read git_diff_staged Read git_diff_unstaged Read git_init Read git_list_repositories Read git_log Read git_pull Read git_show Read git_status Read git_worktree_list Read git_worktree_prune Read head Read include_diff Read inputs Read isWithdrawn Read item_id Read item_owner Read item_repo Read job_id Read labels Read lastReadAt Read line Read list_branches Read list_code_scanning_alerts Read list_commits Read list_dependabot_alerts Read list_discussion_categories Read list_discussions Read list_gists Read list_global_security_advisories Read list_issue_types Read list_issues Read list_label Read list_notifications Read list_org_repository_security_advisories Read list_pull_requests Read list_releases Read list_repository_security_advisories Read list_secret_scanning_alerts Read list_starred_repositories Read list_tags Read max_count Read message Read milestone Read minimal_output Read name Read notificationID Read order Read orderBy Read org Read organization Read owner Read page Read path Read path_filter Read per_page Read perPage Read private Read project_number Read projects_get Read projects_list Read public Read published Read pull_request_number Read pull_request_read Read pullNumber Read query Read reason Read recursive Read ref Read remote Read repo Read repo_path Read request_copilot_review Read Required OAuth Scopes Read resolution Read resource_id Read return_content Read reviewers Read revision Read search_code Read search_issues Read search_orgs Read search_pull_requests Read search_repositories Read search_users Read severity Read sha Read side Read since Read sort Read star_repository Read state Read state_reason Read status Read status_update_id Read tag Read tail_lines Read target Read team_slug Read threadID Read title Read tool_name Read tree_sha Read unstar_repository Read user Read username Read verbose Read workflow_id Read workflow_jobs_filter Read workflow_runs_filter Read worktree Read worktree_path

FAQ

Can an AI agent delete data through the GitHub MCP server? +

Yes. The GitHub server exposes 6 destructive tools including action, delete_file, force. These permanently remove resources with no undo. PolicyLayer blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through GitHub? +

The GitHub server has 61 write tools including add_comment_to_pending_review, add_issue_comment, add_reply_to_pull_request_comment. Set a rate limit in your policy -- for example, 10 calls per hour prevents an agent from making more than 10 modifications per hour. PolicyLayer enforces this at the gateway, before calls reach GitHub.

How many tools does the GitHub MCP server expose? +

256 tools across 4 categories: Destructive, Execute, Read, Write. 179 are read-only. 77 can modify, create, or delete data.

How do I enforce a policy on GitHub? +

Register the GitHub MCP server in PolicyLayer, apply the suggested rules above (adjust the limits to your use case), and point your AI client at the PolicyLayer proxy URL instead of the server directly. Your agents keep the same tools; PolicyLayer evaluates every call against policy before it executes. Nothing to install, live in minutes.

// RELATED SERVERS

Other MCP servers with similar tools.

Starter policies for each. Same risk classification, live on your fleet in minutes.

Nodebench 724 tools
adminautomation
UnClick 451 tools
adminautomation
NowAIKit — ServiceNow AI Toolkit 446 tools
adminautomation
0nmcp 407 tools
adminautomation
ServiceNow MCP Server 384 tools
adminautomation
TheProtocol — Sovereign AI Agent Platform 380 tools
adminautomation
Aibtc 327 tools
adminautomation
Fusionauth 314 tools
adminautomation

Enforce policy on every GitHub tool call.

Deterministic rules across all 256 GitHub tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

SECURE GITHUB →

Free to start. No card required.

4,600+ MCP servers and 31,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.