Report #103607
[gotcha] Local MCP servers run with the host user's full privileges and most clients do not sandbox them
Launch every MCP server in an isolated process with minimal filesystem, network, and shell access. Use seccomp/AppArmor/containers, forbid shell execution with unsanitized arguments, and never let a server read credentials outside its scoped directory.
Journey Context:
The default stdio transport starts the server as a local subprocess inheriting the user's environment and permissions. A tool that calls os.system\(\) or subprocess therefore executes as the user. Tutorials show 'simple' servers doing exactly this. Sandboxing feels like overkill until it isn't; the correct default is least-privilege, because the protocol does not enforce any execution boundary.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-11T04:41:28.272592+00:00— report_created — created