mcp-secure-sandbox
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mcp-secure-sandboxrun this Python code safely"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Secure Python Sandbox & Data Validator MCP Server
A production-ready, highly secure, and containerized Model Context Protocol (MCP) server built in Python using FastMCP. This server isolates code executions within a sandboxed environment, offers automated data validation (JSON Schema and CSV structures), and maintains state snapshots to support deterministic testing pipelines.
🏗️ Architecture & Isolation Model
This server implements four distinct layers of security to ensure that code generated by LLMs cannot execute destructive operations or compromise the host system.
graph TD
Client[Client e.g., Claude Desktop] -->|MCP JSON-RPC| Server[FastMCP Server Process]
Server -->|Tool: run_sandbox_code| AST{AST Safety Checker}
AST -->|Safety Violations| Fail[Reject & return Traceback]
AST -->|Safe AST| Subprocess[Spawn Python Subprocess]
Subprocess -->|Preamble Injection| Closure[Intercept builtins.open]
Closure -->|Access within Workspace| Execute[Run Script]
Closure -->|Access outside Workspace| Block[PermissionError Blocked]
Execute -->|Capture stdout/stderr/time| Server
Server -->|Response| ClientThe 4 Layers of Defense:
Container Isolation (Docker): The server runs as a non-root system user (
mcpuser) inside a minimalpython:3.12-slimcontainer, ensuring zero access to the host's root filesystem or processes.Static AST Analysis: Prior to execution, code is parsed into an Abstract Syntax Tree (AST). The AST visitor blocks dangerous built-in functions (
exec,eval), double-underscore metadata attributes (__class__,__subclasses__), and unapproved imports (e.g.os,sys,subprocess,socket).Subprocess Isolation: Code is executed inside a spawned Python subprocess rather than the server's parent process. This isolates the memory context, manages clean execution time-outs, and handles crashes without crashing the MCP server.
Closure-based Path Interception: The server injects a sandbox preamble that overrides python's built-in
open()function using a closure factory. This factory validates all file paths and blocks directory traversal attempts (using..or absolute paths outside the workspace) with aPermissionError.
Related MCP server: Token-Efficient MCP Server
🛠️ MCP Specifications
Tools
Tool Name | Parameters | Description |
|
| Validates and executes code in the isolated workspace. |
|
| Validates JSON payloads against predefined or custom schemas. |
|
| Enforces column headers and datatype rules on CSV data. |
|
| Saves a snapshot of the workspace (files, hashes, metadata). |
|
| Reverts the workspace filesystem to a saved snapshot. |
| None | Lists all saved snapshots chronologically. |
|
| Permanently deletes a saved snapshot file. |
| None | Returns resource usage (memory, CPU) and tool execution statistics. |
Resources
sandbox://status: Returns JSON data outlining active configurations, workspaces, and snapshot counts.sandbox://logs: Retrieves the last 100 execution traces in memory (timestamp, log level, messages, and performance times).sandbox://schemas: Lists all pre-registered validation schemas (config,user,dataset).
Prompts
generate_secure_script: Prompts the LLM client to write a Python script complying with the AST safety and workspace file constraints.diagnose_validation_error: Diagnoses schema validation errors and generates corrected JSON payloads.
🚀 Installation & Setup
Prerequisites
Python 3.12+ (or Docker installed on the host machine)
Python virtual environment tools (
venv)
Local Setup & Testing
Clone or copy the repository files.
Initialize virtual environment and install requirements:
python -m venv .venv .venv/Scripts/activate # On Windows source .venv/bin/activate # On Linux/macOS pip install -r requirements.txtRun the unit and integration tests:
python -m pytest -vvStart the server locally in stdio transport mode:
python -m src.server
Containerized Sandbox Setup (Docker)
To build and run the secure container using Docker:
# Build the Docker image
docker build -t mcp-secure-sandbox .
# Run the container in interactive stdio mode
docker run -i --rm -v "$(pwd)/sandbox_workspace:/sandbox/workspace" mcp-secure-sandboxUsing Docker Compose:
# Start the container with mounted volumes
docker-compose up -dThe workspace files are persisted locally in the./sandbox_workspace folder, and snapshots are saved in the ./sandbox_snapshots folder. Both paths are automatically synchronized inside the container.
⚙️ Client Integration (Claude Desktop Config)
Add the following block to your Claude Desktop configuration file (typically located at %APPDATA%\Claude\claude_desktop_config.json on Windows or ~/Library/Application Support/Claude/claude_desktop_config.json on macOS):
{
"mcpServers": {
"secure-sandbox": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-v",
"E:/mcp-secure-sandbox/sandbox_workspace:/sandbox/workspace",
"-v",
"E:/mcp-secure-sandbox/sandbox_snapshots:/sandbox/snapshots",
"mcp-secure-sandbox"
]
}
}
}Verify that the local folder paths mounted in the-v args exist on your host and are formatted correctly as absolute paths.
📦 State Snapshot Details
The snapshot engine saves the state of the workspace inside JSON records. A snapshot contains:
Snapshot Metadata: UUID, ISO UTC timestamp, and descriptions.
File Registry: Maps relative paths of all files in
/sandbox/workspaceto:File size (bytes)
Modification timestamp (
mtime)SHA-256 hash of contents
Content payload (UTF-8 string for text files, Base64 encoding for binaries)
When restore_state_snapshot is triggered:
It compares the current workspace state with the snapshot registry.
Files not present in the snapshot registry are deleted.
Modified files (matching path but differing SHA-256) are rewritten to match.
Missing files are recreated.
All file modification times (
mtime) are restored to ensure build tools function deterministically.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/syed-muslim2603/mcp-secure-sandbox'
If you have feedback or need assistance with the MCP directory API, please join our Discord server