Stop Docker Compose services
AI agents call compose_down to permanently remove resources in MCP Container Tools — typically in cleanup and lifecycle workflows. It does its job in a single call, and there is no undo.
Docker Compose 'down' command stops and removes containers, networks, and optionally volumes/images. This is not merely stopping services (which would be reversible) but tearing down the entire compose stack, which removes containers and networks. While data volumes may persist by default, the action is largely irreversible in terms of container state and running services, making it Destructive.
From the tool's definition compose_down - 'Stop Docker Compose services'
Attacks that exploit this kind of access
Stop Docker Compose services. It is categorised as a Destructive tool in the MCP Container Tools MCP Server, which means it can permanently delete or destroy data. Block by default and require explicit approval.
Register the MCP Container Tools MCP server in PolicyLayer and add a rule for compose_down: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches MCP Container Tools. Nothing to install.
compose_down is a Destructive tool with critical risk. Critical-risk tools should be blocked by default and only enabled with explicit human approval.
Yes. Add a rate_limit block to the compose_down rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for compose_down. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
compose_down is provided by the MCP Container Tools MCP server (simseksem/mcp-container-tools). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Every MCP server has a record like this.
Type a name, get the same breakdown: verified identity, auth posture, risk grade, capabilities, recommended policy.
Teams ship this data inside their own products. See what a licence covers →