Why Docker’s New MCP Protocol Could Be a Security Nightmare for AI Agents

Read: Docker has launched its own MCP (Model Context Protocol) directory and an MCP toolkit for managing MCP tools.

MCP directory is part of Docker Hub. Docker claims its initial servers exceed 100 and can access third‑party tools from vendors such as Elastic, Salesforce Heroku, New Relic, Stripe, Pulumi, Grafana Labs, Kong and Neo4j.

Future plans include allowing enterprises to publish their own custom MCP servers, with Docker promising “full enterprise control.”

MCP is designed to provide a standardized API for AI agents to control the services exposed by these servers, thereby extending the ability of AI to perform tasks on behalf of users.

Anthropic released its MCP in November 2024, describing it as a new standard for “connecting AI assistants to the systems where data resides.” The protocol has been quickly adopted by OpenAI, Microsoft, Google and other vendors, many of which are launching MCP servers to stay competitive. This is not just about data retrieval; AI agents can also invoke functions exposed by MCP servers, which introduces additional risk.

Security firm Wiz introduced its own MCP server for detecting code vulnerabilities and active threats, and highlighted several security concerns:

MCP servers are not officially registered yet, though registration is planned.

Malicious actors may use domain squatting and impersonation to trick developers into installing rogue MCP servers.

“Rug pulls” refer to legitimate MCP servers being compromised with malicious code after adoption.

Prompt injection can cause trusted MCP servers to execute unexpected or dangerous tools.

Wiz argues that some AI agents can automatically run tools to provide a “seamless developer experience,” but this implicitly trusts tool responses, creating risk.

Certain customers, such as Anthropic’s Claude, have defenses against malicious prompts, but many do not, and according to Wiz these protections are inconsistent and incomplete.

Security research group Trail of Bits is publishing a series on MCP vulnerabilities; the first paper describes a “tool poisoning” or “jump‑line” attack where a malicious MCP server manipulates the tools/list response to prepend malicious prefixes to commands, potentially leaking code, creating vulnerabilities, or hiding alerts.

In Anthropic’s original MCP concept, human oversight was required to validate command legitimacy before execution, but this model is challenged as AI agents aim to perform tasks that users cannot accomplish themselves.

These reports suggest that MCP servers and clients are still in a “wild west” stage: adoption is growing, but security boundaries are not yet solid. Anthropic currently recommends developers consult a community‑maintained MCP server list that includes a disclaimer “use at your own risk.”

Against this backdrop, Docker’s verified trusted MCP server registry could be welcomed, though it is unlikely to become the sole registry for enterprises, especially since Anthropic’s roadmap already includes an official MCP registry.

Docker also offers features such as Registry Access Management, which controls which registries Docker Desktop can access (though command‑line work‑arounds exist), and Image Access Management, which limits the number of container images developers can pull.

Edit: Action in Progress DaXiong

Related reading:

2025 年你应该知道的 9 种最佳容器监控工具

FreeBSD 14.2 正吸引 Docker 的粉丝

塑造我成为 CTO 之路的秘诀