AI agents invoke container_stop to trigger actions in Kali. What it does depends on the arguments the agent supplies, and its effects often reach beyond the immediate call — builds kicked off, notifications sent, workflows started.
While the tool does not delete user data or move money, it executes a command that terminates and removes an infrastructure component. This is categorized as Execute rather than Destructive because the container removal is reversible (containers can be recreated), and the primary function is to trigger a Docker operation rather than irreversibly destroy persistent data.
From the tool's definition The tool description states it will "Stop and remove the Kali Linux Docker container." This is an active operational action that triggers external system operations (Docker container lifecycle management) whose effects depend on the container state and…
Attacks that exploit this kind of access
Stop and remove the Kali Linux Docker container. It is categorised as a Execute tool in the Kali MCP Server, which means it can trigger actions or run processes. Use rate limits and argument validation.
Register the Kali MCP server in PolicyLayer and add a rule for container_stop: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Kali. Nothing to install.
container_stop is a Execute tool with high risk. Execute tools should be rate-limited and have argument validation enabled.
Yes. Add a rate_limit block to the container_stop rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for container_stop. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
container_stop is provided by the Kali MCP server (unaacceptable297/kali-mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Every MCP server has a record like this.
Type a name, get the same breakdown: verified identity, auth posture, risk grade, capabilities, recommended policy.
Teams ship this data inside their own products. See what a licence covers →