{"id":50927873,"url":"https://github.com/declaw-ai/mcp-sandbox","last_synced_at":"2026-06-17T01:03:48.248Z","repository":{"id":360324952,"uuid":"1249633548","full_name":"declaw-ai/mcp-sandbox","owner":"declaw-ai","description":"Sandbox any MCP server in one line. Firecracker microVM isolation for Claude Desktop, Cursor, Windsurf, and every MCP client.","archived":false,"fork":false,"pushed_at":"2026-05-25T23:17:53.000Z","size":9,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-26T01:17:57.093Z","etag":null,"topics":["ai-security","claude-desktop","cursor","firecracker","isolation","mcp","mcp-server","sandbox","security"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/declaw-ai.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-25T22:51:11.000Z","updated_at":"2026-05-25T23:17:57.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/declaw-ai/mcp-sandbox","commit_stats":null,"previous_names":["declaw-ai/mcp-sandbox"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/declaw-ai/mcp-sandbox","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/declaw-ai%2Fmcp-sandbox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/declaw-ai%2Fmcp-sandbox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/declaw-ai%2Fmcp-sandbox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/declaw-ai%2Fmcp-sandbox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/declaw-ai","download_url":"https://codeload.github.com/declaw-ai/mcp-sandbox/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/declaw-ai%2Fmcp-sandbox/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34429497,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-16T02:00:06.860Z","response_time":126,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-security","claude-desktop","cursor","firecracker","isolation","mcp","mcp-server","sandbox","security"],"created_at":"2026-06-17T01:03:47.558Z","updated_at":"2026-06-17T01:03:48.200Z","avatar_url":"https://github.com/declaw-ai.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# mcp-sandbox\n\nSandbox any MCP server in one line. Firecracker microVM isolation for Claude Desktop, Cursor, Windsurf, Claude Code, and every MCP client.\n\n[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE)\n[![Declaw CLI](https://img.shields.io/github/v/release/declaw-ai/declaw-cli?label=declaw%20cli)](https://github.com/declaw-ai/declaw-cli/releases)\n\n## Before / After\n\n**Before** — no sandbox:\n\n```json\n{\n  \"mcpServers\": {\n    \"github\": {\n      \"command\": \"npx\",\n      \"args\": [\"-y\", \"@modelcontextprotocol/server-github\"],\n      \"env\": { \"GITHUB_PERSONAL_ACCESS_TOKEN\": \"ghp_...\" }\n    }\n  }\n}\n```\n\nYour GitHub token is accessible to the MCP server *and* its entire dependency tree — 847 transitive npm packages running with full host access.\n\n**After** — sandboxed in a Firecracker microVM:\n\n```json\n{\n  \"mcpServers\": {\n    \"github\": {\n      \"command\": \"declaw\",\n      \"args\": [\"mcp\", \"--env\", \"GITHUB_PERSONAL_ACCESS_TOKEN\", \"--network-allow\", \"registry.npmjs.org,api.github.com,github.com,codeload.github.com\", \"--\", \"npx\", \"-y\", \"@modelcontextprotocol/server-github\"],\n      \"env\": { \"GITHUB_PERSONAL_ACCESS_TOKEN\": \"ghp_...\" }\n    }\n  }\n}\n```\n\nSame MCP server. Same functionality. But now your token can only reach GitHub — even if a dependency is compromised, it can't exfiltrate credentials anywhere else. Only the env vars you explicitly forward with `--env` reach the sandbox.\n\n## Why\n\nMCP servers that connect to external APIs handle your most sensitive credentials — GitHub tokens, Slack bot tokens, API keys, database credentials. These servers run as subprocesses with full host access: your files, your SSH keys, your network.\n\nThis isn't theoretical:\n- Claude Desktop Extensions had a [zero-click RCE](https://layerxsecurity.com/blog/claude-desktop-extensions-rce/) rated CVSS 10/10 (LayerX, Feb 2026)\n- Cursor had [CVE-2025-54135](https://www.tenable.com/cve/CVE-2025-54135) (CurXecute, CVSS 9.8) and [CVE-2025-54136](https://www.tenable.com/cve/CVE-2025-54136) (MCPoison, CVSS 8.8)\n\n`declaw mcp` wraps any stdio MCP server in a Firecracker microVM with network deny-all by default. The server works identically — it just can't reach anything you didn't explicitly allow.\n\n## When to use this\n\n`declaw mcp` is designed for **MCP servers that talk to external APIs with credentials**:\n\n| Server | Credentials at risk | Why sandbox it |\n|--------|-------------------|----------------|\n| GitHub | `GITHUB_PERSONAL_ACCESS_TOKEN` | Token can only reach `api.github.com`, not exfiltrated elsewhere |\n| Slack | `SLACK_BOT_TOKEN` | Bot token confined to `api.slack.com` |\n| Brave Search | `BRAVE_API_KEY` | API key confined to `api.search.brave.com` |\n| Database | `DATABASE_URL` | Connection string can't be sent to external hosts |\n| Any API server | API keys, tokens, secrets | Network allowlist = credential containment |\n\n**Not a fit for:** MCP servers that need local host access (filesystem, SQLite, etc.) — these need your local files to be useful, which a cloud sandbox intentionally prevents.\n\n## Install\n\n```bash\n# macOS / Linux\ncurl -fsSL https://raw.githubusercontent.com/declaw-ai/declaw-cli/main/install.sh | sh\n\n# or with Go\ngo install github.com/declaw-ai/declaw-cli/cmd/declaw@latest\n\n# or download binary\n# https://github.com/declaw-ai/declaw-cli/releases\n```\n\nThen sign up and authenticate:\n\n```bash\n# 1. Create a free account at https://console.declaw.ai\n# 2. Copy your API key from the dashboard\n# 3. Authenticate:\ndeclaw auth login\n```\n\n## Client Setup\n\n### Claude Desktop\n\nConfig path: `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) or `%APPDATA%\\Claude\\claude_desktop_config.json` (Windows)\n\n```json\n{\n  \"mcpServers\": {\n    \"github\": {\n      \"command\": \"declaw\",\n      \"args\": [\"mcp\", \"--env\", \"GITHUB_PERSONAL_ACCESS_TOKEN\", \"--network-allow\", \"registry.npmjs.org,api.github.com,github.com,codeload.github.com\", \"--\", \"npx\", \"-y\", \"@modelcontextprotocol/server-github\"],\n      \"env\": { \"GITHUB_PERSONAL_ACCESS_TOKEN\": \"ghp_...\" }\n    }\n  }\n}\n```\n\n### Cursor\n\nConfig path: `~/.cursor/mcp.json` — same JSON structure as above.\n\n### Windsurf\n\nConfig path: `~/.codeium/windsurf/mcp_config.json` — same JSON structure as above.\n\n### Claude Code\n\n```bash\nclaude mcp add github -e GITHUB_PERSONAL_ACCESS_TOKEN=ghp_... -- declaw mcp --env GITHUB_PERSONAL_ACCESS_TOKEN --network-allow registry.npmjs.org,api.github.com,github.com,codeload.github.com -- npx -y @modelcontextprotocol/server-github\n```\n\n## Examples\n\nSee [`examples/`](examples/) for ready-to-use configs:\n\n- [`github`](examples/github/) — GitHub API (repos, issues, PRs, code search)\n- [`brave-search`](examples/brave-search/) — Web search via Brave Search API\n- [`fetch`](examples/fetch/) — Web content fetching and conversion\n\n## How it works\n\n`declaw mcp` is a transparent stdio forwarder. It creates a Firecracker microVM, starts the MCP server inside it, and forwards JSON-RPC messages between the MCP client and the sandboxed server. The client doesn't know anything changed. The server doesn't know it's sandboxed.\n\nNetwork is deny-all by default. Use `--network-allow` to open specific hosts the server needs. This is the key security property: credentials passed to the server can only reach hosts you explicitly permit.\n\n## Flags\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--network-allow \u003chosts\u003e` | deny-all | Comma-separated outbound hostname allowlist |\n| `--template \u003cname\u003e` | `mcp-server` | Sandbox template (default includes Node.js + Python) |\n| `--timeout \u003cseconds\u003e` | `86400` | Sandbox timeout (default 24h) |\n| `--env KEY` or `--env KEY=VAL` | — | Environment variable to forward (repeatable). `KEY` reads from host env; `KEY=VAL` sets explicitly. |\n| `--verbose` | off | Diagnostic logging to stderr |\n\n## Custom dependencies\n\nThe default `mcp-server` template includes Node.js and Python, which covers most MCP servers. If your server needs additional system packages (e.g., `ffmpeg`, native libraries), build a custom template:\n\n```bash\n# Create a Dockerfile\necho 'FROM declaw/mcp-server:latest\nRUN apt-get update \u0026\u0026 apt-get install -y ffmpeg' \u003e Dockerfile\n\n# Build it (returns a template ID)\ndeclaw template build --dockerfile Dockerfile\n\n# Use the template ID from the build output\ndeclaw mcp --template \u003ctemplate-id\u003e -- your-server-command\n```\n\nSee `declaw template build --help` for details.\n\n## Links\n\n- [Full CLI documentation](https://github.com/declaw-ai/declaw-cli)\n- [Declaw docs](https://docs.declaw.ai)\n- [declaw.ai](https://declaw.ai)\n\n## License\n\nApache 2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeclaw-ai%2Fmcp-sandbox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdeclaw-ai%2Fmcp-sandbox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeclaw-ai%2Fmcp-sandbox/lists"}