Run any MCP server with
zero trust, zero risk.

Drop-in security sandbox for Model Context Protocol servers. Automatic Docker containerization with protocol-level security enforcement.

curl -fsSL https://mcpjail.com/install.sh | sh

Works on macOS, Linux, and Windows (WSL2)

The Problem

Our security audit of 501 MCP servers revealed alarming vulnerabilities:

96.4% contain exploitable vulnerabilities
70.3% have shell execution capabilities
93.4% use unpinned dependencies
75.4% have unrestricted network access

MCP clients like Claude Desktop and Cursor run servers with full user privileges. If compromised, attackers get complete access to your machine.

The Solution

Before Unsafe

npx -y @modelcontextprotocol/server-filesystem /home/user
  • Full filesystem access
  • Unrestricted network
  • Can execute any command
  • No audit logging

After Sandboxed

mcpjail npx -y @modelcontextprotocol/server-filesystem /workspace
  • Isolated in Docker container
  • Network disabled by default
  • Protocol-level filtering
  • Complete audit trail

Security Features

🐳

Docker Isolation

Every MCP server runs in a hardened container with read-only filesystem, dropped capabilities, and seccomp filtering.

🌐

Network Control

Network disabled by default. Allowlist specific hosts when needed. Prevents data exfiltration.

🔍

Protocol Proxy

Rust-based MCP protocol proxy validates every request and response. Blocks path traversal and SSRF attacks.

📋

Tool Filtering

Allowlist or blocklist specific MCP tools. Prevent dangerous operations like shell execution.

📁

Mount Control

Only explicitly mounted paths are accessible. Default read-only. No access to ~/.ssh, ~/.aws, or secrets.

📊

Audit Logging

Complete audit trail of all MCP operations. Know exactly what tools were called and with what arguments.

Quick Start

Basic Usage

mcpjail npx -y @modelcontextprotocol/server-filesystem /workspace

With Network Access

mcpjail --allow-host api.example.com python -m mcp_server

With Write Access

mcpjail --mount .:/workspace:rw npx -y @some/mcp-server

Claude Desktop Config

{
  "mcpServers": {
    "filesystem": {
      "command": "mcpjail",
      "args": [
        "--policy", "readonly",
        "npx", "-y",
        "@modelcontextprotocol/server-filesystem",
        "/workspace"
      ]
    }
  }
}

Downloads

Pre-built binaries for all major platforms. Or use the install script above.

🍎

macOS Intel

x86_64
🍎

macOS Apple Silicon

ARM64
🐧

Linux

x86_64
🐧

Linux ARM

ARM64
🪟

Windows

x86_64 (WSL2)

View all releases | Source code

Built-in Policies

strict

Maximum security. No network, read-only filesystem, minimal tools allowed.

readonly

Read-only access to mounted paths. No write operations, no network.

development

Balanced for development. Write access to workspace, localhost network.

network-isolated

Full filesystem access but completely network isolated.