// SCAN REPORT

Ansible

90 tools. 41 can modify or destroy data without limits.

2 destructive tools with no built-in limits. Policy required.

Last updated: 12 Jun 2026

41 can modify or destroy data

49 read-only

90 tools total

Community server · catalogue entry verified 12/06/2026

How to control Ansible ↓

TOOL MAP

What Ansible exposes to your agents

Read (49) Write / Execute (39) Destructive / Financial (2)

Running more than one server? Check your whole stack →

MOST DANGEROUS TOOLS

Critical Risk

The most dangerous Ansible tools

Destructive · High remove-external-server Removing a server from inventory is a destructive operation that irreversibly deletes configuration state. Destructive · High unload-service-tools Unloading service tools suggests removing or deregistering tooling associated with a service, which could disrupt infrastructure operations and may not be easily reversible. Execute · High ansible-playbook Ansible playbooks execute code and commands on remote systems to configure, deploy, and manage infrastructure. Execute · High ansible-role This tool falls under Execute because it triggers external operations (Ansible role execution) whose effects depend on which role is passed as an argument and the target inventory.

41 of Ansible's 90 tools can modify, destroy, or commit something on every call — and an agent calls them with no built-in limits.

POLICY

How to control Ansible

PolicyLayer is an MCP gateway — it sits between your AI agents and Ansible, and nothing reaches the server without passing your rules. These are the rules we recommend:

Deny destructive operations

{
  "remove-external-server": {
    "deny_if": [
      {
        "conditions": [],
        "on_deny": "Blocked by default. Requires approval."
      }
    ]
  }
}

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations

{
  "fix-template": {
    "limits": [
      {
        "counter": "fix-template_per_hour",
        "window": "hour",
        "max": 30,
        "scope": "grant"
      }
    ]
  }
}

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations

{
  "browse-services": {
    "limits": [
      {
        "counter": "browse-services_per_minute",
        "window": "minute",
        "max": 60,
        "scope": "grant"
      }
    ]
  }
}

Controls API costs and prevents retry loops from exhausting upstream rate limits.

Create a free account and register Ansible — nothing to install.
Add these rules — paste them, or build them visually. Tune the limits to your setup.
Point your MCP client (Claude, Cursor, anything) at your gateway URL.

ENFORCE POLICY ON ANSIBLE →

Free to start. No card required.

FULL CATALOGUE

All 90 Ansible tools

DESTRUCTIVE 2 tools

Destructive remove-external-server Remove an external server from inventory Destructive unload-service-tools Unload tools specific to a service

EXECUTE 18 tools

Execute ansible-playbook Run an Ansible playbook Execute ansible-role Run an Ansible role Execute ansible-task Run a single Ansible task ad-hoc Execute deploy-service Deploy a service from the catalog by creating VM and configuring it Execute deploy-to-environment Deploy a service to a specific environment Execute hardware-benchmark Run basic hardware benchmarks Execute server-debug Run diagnostic commands for debugging Execute server-restart Restart MCP or SSE server to recover from errors Execute process-deviation Process a specific inventory deviation with user decision Execute security-quick-scan Run a quick security assessment covering basic checks Execute test-server-connectivity Test connectivity to a server using various methods Execute create-acceptance-test Create an acceptance test deployment Execute generate-inventory-playbook Generate a playbook for gathering inventory information Execute pihole-disable Temporarily disable Pi-hole blocking Execute setup-network Configure network settings for VMs Execute setup-wizard Run interactive setup wizard to configure all settings Execute terraform-apply Apply Terraform configuration to create/update infrastructure Execute update-ollama-models Update models on existing Ollama server

WRITE 21 tools

Write fix-template Fix non-compliant template issues Write store-vm-credentials Store ansible-admin credentials for a VM in context Write add-external-server Add an external server to the Ansible inventory Write create-compliant-template Create a new MCP-compliant template from a base VM Write create-playbook Create a new Ansible playbook file Write create-playbook-flexible Create an Ansible playbook with flexible input (YAML string or structured data) Write create-role-structure Create a complete Ansible role directory structure Write create-vm-template Generate Terraform configuration for Proxmox VMs Write generate-inventory Generate an Ansible inventory file from discovered Proxmox VMs Write generate-secure-password Generate a secure password for ansible-admin accounts Write handle-duplicate-service Handle user decision for duplicate service Write hardware-inventory Manage hardware inventory database Write import-ansible-config Import configuration from existing Ansible controller Write migrate-ssh-keys Migrate SSH keys from existing controller Write pihole-blacklist Add domain to Pi-hole blacklist Write pihole-enable Enable Pi-hole blocking Write pihole-whitelist Add domain to Pi-hole whitelist Write set-mcp-context Store context information in MCP for future sessions Write setup-proxmox Configure Proxmox connection settings Write setup-services Configure IP addresses for services Write update-context-after-operation Update MCP context after successful VM or service operations

READ 49 tools

Read browse-services Browse available services in the catalog with optional filtering Read capture-state Capture current infrastructure state for change tracking Read check-node-capacity Check if a node has capacity for requested resources Read compare-inventory-state Compare context inventory with live Proxmox inventory and detect deviations Read compare-service-requirements Compare requirements for multiple services Read detect-existing-service Detect if a service is already installed in the infrastructure Read discover-ansible-controller Discover existing Ansible controllers on the network Read discover-network-devices Discover devices on the network and classify them Read discover-proxmox Discover all VMs on a Proxmox server and extract their configuration Read discover-templates Discover and validate all templates in infrastructure Read find-best-node Find the best node for VM placement based on resources and preferences Read get-best-practice Get best practices for MCP operations Read get-config Get current configuration values Read get-error-recovery Get error recovery steps for common issues Read get-mcp-context Get stored context information from MCP Read get-service-sop Get installation and management procedures for a specific service Read get-validation-checks Get validation checks for operations Read gpu-detection Detect and analyze GPU hardware Read hardware-scan Comprehensive hardware scan of a system Read inventory-status Check inventory status and staleness Read list-environments List available deployment environments Read list-hosts List all hosts in inventory Read list-loaded-tools List all currently loaded tools and services Read list-service-sops List all available service-specific SOPs Read list-sops List all available standard operating procedures Read list-vm-credentials List all VMs with stored credentials Read load-service-tools Load tools specific to a service Read network-interfaces Detailed network interface information Read pihole-query-log Query Pi-hole DNS logs Read pihole-stats Get Pi-hole statistics and status Read query-sop Query standard operating procedures for common MCP operations Read retrieve-vm-credentials Retrieve ansible-admin credentials for a VM Read security-audit-accounts Audit user accounts for security issues Read security-check-firewall Check firewall configuration and rules Read security-check-passwords Check for weak passwords and password policies Read security-check-ssh Audit SSH configuration for security Read security-check-updates Check for security updates and vulnerable packages Read security-scan-ports Scan for open ports on specified hosts Read server-health Check server health and dependencies Read server-logs Get server logs for debugging Read service-details Get detailed information about a specific service Read storage-analysis Detailed storage analysis including health checks Read terraform-output Get outputs from Terraform state Read test-connection Test connection to configured services Read validate-playbook Validate an Ansible playbook syntax Read validate-template Validate a template meets MCP standards Read generate-diagram Generate infrastructure diagram from current state Read proxmox-inventory Discover and manage Proxmox infrastructure inventory Read terraform-plan Create an execution plan for Terraform changes

EXPLORE

Related servers

Other MCP servers with similar tools — same risk classification, starter policies for each.

FAQ

Questions about Ansible

Can an AI agent delete data through the Ansible MCP server? +

Yes. The Ansible server exposes 2 destructive tools including remove-external-server, unload-service-tools. These permanently remove resources with no undo. PolicyLayer blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through Ansible? +

The Ansible server has 21 write tools including fix-template, store-vm-credentials, add-external-server. Set a rate limit in your policy -- for example, 10 calls per hour prevents an agent from making more than 10 modifications per hour. PolicyLayer enforces this at the gateway, before calls reach Ansible.

How many tools does the Ansible MCP server expose? +

90 tools across 4 categories: Destructive, Execute, Read, Write. 49 are read-only. 41 can modify, create, or delete data.

How do I enforce a policy on Ansible? +

Register the Ansible MCP server in PolicyLayer, apply the suggested rules above (adjust the limits to your use case), and point your AI client at the PolicyLayer proxy URL instead of the server directly. Your agents keep the same tools; PolicyLayer evaluates every call against policy before it executes. Nothing to install, live in minutes.

Enforce policy on every Ansible tool call.

Deterministic rules across all 90 Ansible tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

ENFORCE POLICY ON ANSIBLE →

Free to start. No card required.

90 Ansible tools catalogued and risk-classified — across an index of 43,000+ MCP servers.