mcp-run-isolated-python
Enables LLMs to execute Python code securely in a sandboxed environment. Supports configurable restrictions like no network access and returns results including files.
README
MCP Server for Sandboxed Python Code Execution
This MCP server allows your LLM to execute python code securely and returns the results - including files. The code is executed in a configurable sandboxed environment, with strong defaults - like no network access and heavily limited file write permissions.
It's great for use cases complicated use cases where LLMs run into hallucination. For example, stuff that requires a lot of math - where LLMs are notoriously finicky - or if you want to generate cool graphs. If you this, your LLM will always be able to count the number of "r" in strawberry!
Quick Start
MCP - via Docker (recommended)
WIP - support is suboptimal, as the anthropic sandbox runtime does currently only run in privileged docker running configs. Waiting on them to add proper support for containers, the existing options does not seem to do anything :D
If you still want to use it, here is the command:
docker run --privileged .
You can pass your CLI settings directly after that, the dockerfile uses entrypoint to start the server and listens to all args.
Note:
- Docker automatically creates a separate UV python interpreter for the runtime - so you dont have to pass that :)
- To control your python version & packages, use the docker build args
PYTHON_VERSIONandPYTHON_DEPENDENCIES(space separated list)
MCP - via direct hosting
pip install mcp-run-isolated-python
Then, just run the command to start the server:
mcp-run-isolated-python
As a python package
This approached is generally discouraged for any production use, as it removes a lot of this projects security features.
But if you like to live dangerously, or you are the only one using this, or you are building a super quick prototype - this will be fine & should be safe, as it is still using sandboxed code execution.
from mcp_run_isolated_python import CodeSandbox, CodeSandboxSettings
settings = CodeSandboxSettings(...)
# sync use
with CodeSandbox(settings=settings) as sandbox:
result = sandbox.eval("print(1 + 1)")
print(result)
# async use
async with CodeSandbox(settings=settings) as sandbox:
result = await sandbox.eval("print(1 + 1)")
print(result)
Why this tool?
I built this out of frustration with the existing ecosystem. Most of the existing tools do not set focus on security, which is a no-go if you are living in an enterprise environment or want to use this for more than a single user on your own computer.
Security Considerations
This tool was designed great focus on security - after all, giving an LLM unchecked access to a code executor is quite risky. To harden security, it is heavily recommended to use this server in an isolated container, like docker.
Security Features
- Use of
srt, a shell sandbox build by anthropic to limit LLM access, more info here- Remove network access
- Remove write access to any non-allowed folders
- Remove read access to specified folders
- Restrict access to unix sockets
- Use of docker to isolate the host system from the system where the code is executed
- Removal of any env variables for the LLM process
Open security concerns
- Reading of file contents on host system - needs to be restricted on case by case basis using the srt settings
Comparison to (some) other tools
There really are too many to count. I am not including most here, as most simply do not care about sandboxing at all.
Here is what I find to be the most relevant ones with a focus on security.
| Name | Strong Sandboxing | Open Source & Selfhostable | Maintained | Released | Full python & package support | File output support |
|---|---|---|---|---|---|---|
| This Project | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Monty | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Pydantic MCP Server | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Sandboxing Service, like Daytona | ✅ | ❌ | ✅ | ❌ | ✅ | ✅ |
| Build-In, like for Gemini | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ |
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.