mcp-secure-sandbox
Provides a secure, containerized Python sandbox for executing LLM-generated code with multi-layer isolation, along with JSON/CSV validation and workspace state snapshots.
README
Secure Python Sandbox & Data Validator MCP Server
A production-ready, highly secure, and containerized Model Context Protocol (MCP) server built in Python using FastMCP. This server isolates code executions within a sandboxed environment, offers automated data validation (JSON Schema and CSV structures), and maintains state snapshots to support deterministic testing pipelines.
🏗️ Architecture & Isolation Model
This server implements four distinct layers of security to ensure that code generated by LLMs cannot execute destructive operations or compromise the host system.
graph TD
Client[Client e.g., Claude Desktop] -->|MCP JSON-RPC| Server[FastMCP Server Process]
Server -->|Tool: run_sandbox_code| AST{AST Safety Checker}
AST -->|Safety Violations| Fail[Reject & return Traceback]
AST -->|Safe AST| Subprocess[Spawn Python Subprocess]
Subprocess -->|Preamble Injection| Closure[Intercept builtins.open]
Closure -->|Access within Workspace| Execute[Run Script]
Closure -->|Access outside Workspace| Block[PermissionError Blocked]
Execute -->|Capture stdout/stderr/time| Server
Server -->|Response| Client
The 4 Layers of Defense:
- Container Isolation (Docker): The server runs as a non-root system user (
mcpuser) inside a minimalpython:3.12-slimcontainer, ensuring zero access to the host's root filesystem or processes. - Static AST Analysis: Prior to execution, code is parsed into an Abstract Syntax Tree (AST). The AST visitor blocks dangerous built-in functions (
exec,eval), double-underscore metadata attributes (__class__,__subclasses__), and unapproved imports (e.g.os,sys,subprocess,socket). - Subprocess Isolation: Code is executed inside a spawned Python subprocess rather than the server's parent process. This isolates the memory context, manages clean execution time-outs, and handles crashes without crashing the MCP server.
- Closure-based Path Interception: The server injects a sandbox preamble that overrides python's built-in
open()function using a closure factory. This factory validates all file paths and blocks directory traversal attempts (using..or absolute paths outside the workspace) with aPermissionError.
🛠️ MCP Specifications
Tools
| Tool Name | Parameters | Description |
|---|---|---|
run_sandbox_code |
code: str, timeout_sec: float |
Validates and executes code in the isolated workspace. |
validate_json_data |
data: dict, schema_name_or_dict: any |
Validates JSON payloads against predefined or custom schemas. |
validate_csv_data |
csv_content: str, required_headers: list, type_constraints: dict |
Enforces column headers and datatype rules on CSV data. |
create_state_snapshot |
description: str |
Saves a snapshot of the workspace (files, hashes, metadata). |
restore_state_snapshot |
snapshot_id: str |
Reverts the workspace filesystem to a saved snapshot. |
list_state_snapshots |
None | Lists all saved snapshots chronologically. |
delete_state_snapshot |
snapshot_id: str |
Permanently deletes a saved snapshot file. |
get_sandbox_metrics |
None | Returns resource usage (memory, CPU) and tool execution statistics. |
Resources
sandbox://status: Returns JSON data outlining active configurations, workspaces, and snapshot counts.sandbox://logs: Retrieves the last 100 execution traces in memory (timestamp, log level, messages, and performance times).sandbox://schemas: Lists all pre-registered validation schemas (config,user,dataset).
Prompts
generate_secure_script: Prompts the LLM client to write a Python script complying with the AST safety and workspace file constraints.diagnose_validation_error: Diagnoses schema validation errors and generates corrected JSON payloads.
🚀 Installation & Setup
Prerequisites
- Python 3.12+ (or Docker installed on the host machine)
- Python virtual environment tools (
venv)
Local Setup & Testing
- Clone or copy the repository files.
- Initialize virtual environment and install requirements:
python -m venv .venv .venv/Scripts/activate # On Windows source .venv/bin/activate # On Linux/macOS pip install -r requirements.txt - Run the unit and integration tests:
python -m pytest -vv - Start the server locally in stdio transport mode:
python -m src.server
Containerized Sandbox Setup (Docker)
To build and run the secure container using Docker:
# Build the Docker image
docker build -t mcp-secure-sandbox .
# Run the container in interactive stdio mode
docker run -i --rm -v "$(pwd)/sandbox_workspace:/sandbox/workspace" mcp-secure-sandbox
Using Docker Compose:
# Start the container with mounted volumes
docker-compose up -d
[!NOTE] The workspace files are persisted locally in the
./sandbox_workspacefolder, and snapshots are saved in the./sandbox_snapshotsfolder. Both paths are automatically synchronized inside the container.
⚙️ Client Integration (Claude Desktop Config)
Add the following block to your Claude Desktop configuration file (typically located at %APPDATA%\Claude\claude_desktop_config.json on Windows or ~/Library/Application Support/Claude/claude_desktop_config.json on macOS):
{
"mcpServers": {
"secure-sandbox": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-v",
"E:/mcp-secure-sandbox/sandbox_workspace:/sandbox/workspace",
"-v",
"E:/mcp-secure-sandbox/sandbox_snapshots:/sandbox/snapshots",
"mcp-secure-sandbox"
]
}
}
}
[!IMPORTANT] Verify that the local folder paths mounted in the
-vargs exist on your host and are formatted correctly as absolute paths.
📦 State Snapshot Details
The snapshot engine saves the state of the workspace inside JSON records. A snapshot contains:
- Snapshot Metadata: UUID, ISO UTC timestamp, and descriptions.
- File Registry: Maps relative paths of all files in
/sandbox/workspaceto:- File size (bytes)
- Modification timestamp (
mtime) - SHA-256 hash of contents
- Content payload (UTF-8 string for text files, Base64 encoding for binaries)
When restore_state_snapshot is triggered:
- It compares the current workspace state with the snapshot registry.
- Files not present in the snapshot registry are deleted.
- Modified files (matching path but differing SHA-256) are rewritten to match.
- Missing files are recreated.
- All file modification times (
mtime) are restored to ensure build tools function deterministically.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.