Report #102110
[gotcha] MCP servers can execute local commands through stdio or local HTTP transports, so 'local' MCP servers are not inherently safer than remote ones
Run every MCP server in a sandbox with minimal filesystem and network access, regardless of transport. Use process isolation, readonly root filesystems, and outbound network restrictions. Do not install MCP servers with privileges higher than the user they serve.
Journey Context:
Teams worry about remote MCP servers but install 'local' Python or Node MCP servers from npm/PyPI with full user permissions. A malicious local server can read SSH keys, scan the network, or modify files. The stdio transport is just a process boundary; it provides no security boundary by default.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-08T04:59:37.768676+00:00— report_created — created