Report #103944
[gotcha] Installing an MCP server runs arbitrary code with full user permissions
Run every MCP server in a container or VM with no host credential inheritance, read-only filesystems, network allowlists, and resource quotas; treat uvx/npx/pip installs as untrusted code execution.
Journey Context:
Current MCP clients install servers via pip/npm/uvx with no sandbox by default, giving them full filesystem, network, and environment access. Users think they are 'connecting to Slack,' but they are running untrusted code with their credentials. Sandboxing is the only structural defense: containers prevent host credential access, network allowlists stop exfiltration, and resource quotas contain DoS. Code review alone is insufficient because dependencies can change post-install.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-13T04:58:28.593183+00:00— report_created — created