Report #103116
[gotcha] Local stdio MCP servers run with the full privileges of the host IDE by default
Run every stdio MCP server inside a sandbox \(container, seccomp/AppArmor/Seatbelt profile, or dedicated low-privilege user\) with a deny-by-default filesystem and network policy. Never assume 'local' means 'safe.'
Journey Context:
Because stdio servers are launched as a child process on the same machine, they inherit the user's identity, environment variables, SSH keys, and network access. The protocol does not mandate any confinement, so a malicious or merely buggy server can read ~/.aws/credentials, write to source directories, or open reverse shells. Containers alone are not a panacea \(container escapes exist\), but they are the minimum viable boundary. The common mistake is installing marketplace servers via one-click config without reviewing the command; the fix is exact-command disclosure plus sandboxing by default, exactly as the MCP security best-practices recommend.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T05:02:52.595545+00:00— report_created — created