Critical-risk tools in MLflow MCP Server
5 of the 40 tools in MLflow MCP Server are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
delete_experimentDestructiveDelete an experiment and all its runs. Moves to the 'deleted' lifecycle stage — not shown in UI or queries, but recoverable via the MLflow API.
-
delete_model_aliasDestructiveRemove an alias from a registered model (e.g. revoke 'champion'). The alias is permanently removed; the model version itself is not affected.
-
delete_model_versionDestructiveDelete a specific model version from the registry. Irreversible — the version and its metadata cannot be recovered.
-
delete_registered_modelDestructiveDelete an entire registered model and all its versions. Irreversible — all versions, aliases, and tags are permanently removed.
-
delete_runDestructiveDelete a run. Moves it to the 'deleted' lifecycle stage — not shown in UI or queries, but recoverable via the MLflow API.
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.