Skip to content

declaw-ai/mcp-sandbox

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 

Repository files navigation

mcp-sandbox

Sandbox any MCP server in one line. Firecracker microVM isolation for Claude Desktop, Cursor, Windsurf, Claude Code, and every MCP client.

License Declaw CLI

Before / After

Before — no sandbox:

{
  "mcpServers": {
    "github": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-github"],
      "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_..." }
    }
  }
}

Your GitHub token is accessible to the MCP server and its entire dependency tree — 847 transitive npm packages running with full host access.

After — sandboxed in a Firecracker microVM:

{
  "mcpServers": {
    "github": {
      "command": "declaw",
      "args": ["mcp", "--env", "GITHUB_PERSONAL_ACCESS_TOKEN", "--network-allow", "registry.npmjs.org,api.github.com,github.com,codeload.github.com", "--", "npx", "-y", "@modelcontextprotocol/server-github"],
      "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_..." }
    }
  }
}

Same MCP server. Same functionality. But now your token can only reach GitHub — even if a dependency is compromised, it can't exfiltrate credentials anywhere else. Only the env vars you explicitly forward with --env reach the sandbox.

Why

MCP servers that connect to external APIs handle your most sensitive credentials — GitHub tokens, Slack bot tokens, API keys, database credentials. These servers run as subprocesses with full host access: your files, your SSH keys, your network.

This isn't theoretical:

declaw mcp wraps any stdio MCP server in a Firecracker microVM with network deny-all by default. The server works identically — it just can't reach anything you didn't explicitly allow.

When to use this

declaw mcp is designed for MCP servers that talk to external APIs with credentials:

Server Credentials at risk Why sandbox it
GitHub GITHUB_PERSONAL_ACCESS_TOKEN Token can only reach api.github.com, not exfiltrated elsewhere
Slack SLACK_BOT_TOKEN Bot token confined to api.slack.com
Brave Search BRAVE_API_KEY API key confined to api.search.brave.com
Database DATABASE_URL Connection string can't be sent to external hosts
Any API server API keys, tokens, secrets Network allowlist = credential containment

Not a fit for: MCP servers that need local host access (filesystem, SQLite, etc.) — these need your local files to be useful, which a cloud sandbox intentionally prevents.

Install

# macOS / Linux
curl -fsSL https://raw.githubusercontent.com/declaw-ai/declaw-cli/main/install.sh | sh

# or with Go
go install github.com/declaw-ai/declaw-cli/cmd/declaw@latest

# or download binary
# https://github.com/declaw-ai/declaw-cli/releases

Then sign up and authenticate:

# 1. Create a free account at https://console.declaw.ai
# 2. Copy your API key from the dashboard
# 3. Authenticate:
declaw auth login

Client Setup

Claude Desktop

Config path: ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows)

{
  "mcpServers": {
    "github": {
      "command": "declaw",
      "args": ["mcp", "--env", "GITHUB_PERSONAL_ACCESS_TOKEN", "--network-allow", "registry.npmjs.org,api.github.com,github.com,codeload.github.com", "--", "npx", "-y", "@modelcontextprotocol/server-github"],
      "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_..." }
    }
  }
}

Cursor

Config path: ~/.cursor/mcp.json — same JSON structure as above.

Windsurf

Config path: ~/.codeium/windsurf/mcp_config.json — same JSON structure as above.

Claude Code

claude mcp add github -e GITHUB_PERSONAL_ACCESS_TOKEN=ghp_... -- declaw mcp --env GITHUB_PERSONAL_ACCESS_TOKEN --network-allow registry.npmjs.org,api.github.com,github.com,codeload.github.com -- npx -y @modelcontextprotocol/server-github

Examples

See examples/ for ready-to-use configs:

  • github — GitHub API (repos, issues, PRs, code search)
  • brave-search — Web search via Brave Search API
  • fetch — Web content fetching and conversion

How it works

declaw mcp is a transparent stdio forwarder. It creates a Firecracker microVM, starts the MCP server inside it, and forwards JSON-RPC messages between the MCP client and the sandboxed server. The client doesn't know anything changed. The server doesn't know it's sandboxed.

Network is deny-all by default. Use --network-allow to open specific hosts the server needs. This is the key security property: credentials passed to the server can only reach hosts you explicitly permit.

Flags

Flag Default Description
--network-allow <hosts> deny-all Comma-separated outbound hostname allowlist
--template <name> mcp-server Sandbox template (default includes Node.js + Python)
--timeout <seconds> 86400 Sandbox timeout (default 24h)
--env KEY or --env KEY=VAL Environment variable to forward (repeatable). KEY reads from host env; KEY=VAL sets explicitly.
--verbose off Diagnostic logging to stderr

Custom dependencies

The default mcp-server template includes Node.js and Python, which covers most MCP servers. If your server needs additional system packages (e.g., ffmpeg, native libraries), build a custom template:

# Create a Dockerfile
echo 'FROM declaw/mcp-server:latest
RUN apt-get update && apt-get install -y ffmpeg' > Dockerfile

# Build it (returns a template ID)
declaw template build --dockerfile Dockerfile

# Use the template ID from the build output
declaw mcp --template <template-id> -- your-server-command

See declaw template build --help for details.

Links

License

Apache 2.0

About

Sandbox any MCP server in one line. Firecracker microVM isolation for Claude Desktop, Cursor, Windsurf, and every MCP client.

Topics

Resources

License

Stars

3 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors