Docker has introduced its own MCP (Model Context Protocol) catalog alongside an MCP Toolkit for managing MCP tools.

The MCP Catalog is part of Docker Hub and the company claims over 100 initial servers, giving access to third-party tools from vendors including Elastic, Salesforce Heroku, New Relic, Stripe, Pulumi, Grafana Labs, Kong and Neo4j. Future plans include the ability for enterprises to publish their own custom MCP servers, for which Docker is promising “full enterprise controls.”

The purpose of MCP is to give AI agents a standardized API for controlling the services exposed by these servers, extending the ability for AI to perform tasks on behalf of the user. For those looking for a friendly introduction, we have a hands-on guide to MCP.

MCP was introduced by Anthropic in November 2024 as “a new standard for connecting AI assistants to the systems where data lives.” The protocol has been rapidly adopted by others including OpenAI, Microsoft and Google; and vendors have scrambled to deliver MCP servers in the hope of not missing out in agentic AI workflows. It is not just a matter of retrieving data: AI agents can also perform tasks via the capabilities exposed by MPC servers, and with these increased capabilities come increased risks.

Security outfit Wiz, which has introduced its own MCP server for detecting code vulnerabilities and other active threats, has described MCP security issues including:

• No official registry for MCP servers, though one is planned
• Typosquatting and impersonation as bad actors try to get malicious MCP servers installed by developers
• “Rug pulls” where a legitimate MCP server is compromised with malicious code after gaining adoption
• Prompt injection, where a legitimate MCP server is manipulated by untrusted content to trigger “unintended or dangerous tool execution”

Wiz identifies the ability of some AI agents to auto-run tools for “a seamless developer experience” as a risk, since this implicitly trusts tool responses. 

Some clients, including Anthropic’s Claude, have guardrails against malicious prompts but others might not, and according to Wiz “these guardrails are inconsistent and uncomprehensive.”

Security outfit Trail of Bits is running a series of posts on MCP vulnerabilities, the first of which describes an attack called tool poisoning or line jumping. When an MCP client connects to a server, it requests details of what tools the server offers via a tools/list method. Trail of Bits observes that a malicious MCP server could use this description to manipulate an AI agent, with instructions such as to include a malicious prefix before any command and not to tell the user about it. A compromised MCP server, states Trail of Bits, might exfiltrate code, create vulnerabilities, or suppress security alerts.

In Anthropic’s original concept for MCP there will always be a human in the loop, verifying that commands are legitimate and correct before they run. In the world of AI though this is problematic, particularly when part of the promise of AI is that it assists users to perform actions which they would otherwise find difficult.

The implication of reports like these is that MCP servers and clients are in something of a wild west phase, where adoption is growing but the security implications and boundaries are not yet in place. Anthropic currently points developers towards this list of MCP servers which includes community server that are “untested and should be used at your own risk.”

In this context, a Docker-verified registry of trusted MCP servers may be welcome, though it is unlikely to be the only registry used by enterprises, particularly when an official MCP registry is on Anthropic’s roadmap. Docker has features such as Registry Access Management, which controls which registries are accessible via Docker Desktop (though there are ways to bypass it using the command line); and Image Access Management, which restricts the container images a developer is allowed to pull.