Document and provide hooks for sandboxing file and network access in MCP tools #1705
Description
Description
Summary
MCP tools and resources built with the Python SDK can, by default, access the full file system, network, and environment of the host process. This is powerful but risky, especially when:
- servers are installed from third parties, or
- LLM agents can call tools based on prompt-injected instructions.
The SDK should clearly document this and provide hooks/patterns for limiting capabilities.
Proposal
-
Document security considerations
- Add a “Security considerations” section explicitly calling out:
- file system access,
- network access,
- environment variables and credentials.
- Add a “Security considerations” section explicitly calling out:
-
Provide capability hooks
- Offer configuration points or helper utilities to:
- restrict file access to specific directories (allowlist),
- restrict outbound network calls to certain hosts/domains,
- prevent access to environment variables by default.
- Offer configuration points or helper utilities to:
-
Encourage process-level sandboxing
- Provide guidance on running MCP servers in:
- containers with minimal privileges,
- separate processes with limited OS capabilities.
- Provide guidance on running MCP servers in:
Why this matters
- Defense in depth: Even if application code is careful, configuration mistakes or third-party code can introduce risk.
- Prompt-injection mitigation: Restricting what tools can do reduces the impact of malicious prompts.
- Operational guidance: Many users are new to MCP and benefit from clear security best practices.
Acceptance criteria
- Documentation clearly describes the security implications of running MCP servers and tools.
- There are example patterns for restricting file and network access.
- Where feasible, the SDK exposes hooks or configuration points for capability control.
References
No response