Back to blog
2026-05-28Guide

How to Sandbox an MCP Server

An MCP server runs on your machine with your tokens and pulls in hundreds of dependencies you've never read. Here's how to wrap any MCP server in an isolated microVM with one line of config.

Model Context Protocol (MCP) servers are how AI assistants like Claude Desktop, Cursor, and Windsurf reach the outside world — GitHub, your filesystem, a database, an API. The catch: a typical MCP server runs as a local process on your machine, with your access tokens in its environment, and an npx -y some-server line quietly pulls in hundreds of transitive dependencies you've never audited. Any one of them runs with full access to your host and your credentials.

That's a lot of trust to extend to a one-line config entry. The fix is to run the MCP server inside an isolated microVM instead of directly on your machine — and you can do it without changing the server itself.

The idea: wrap the command, don't replace it

The declaw CLI ships an mcp command that wraps any stdio-based MCP server in a Declaw sandbox. You prepend declaw mcp -- to your existing server command. The server still speaks the same protocol over stdin/stdout — but now it runs in a Firecracker microVM with:

  • No access to your host — it can't read your files, your SSH keys, or your other processes.
  • Only the environment variables you explicitly forward with --env.
  • Deny-all networking by default — the server can't reach anything until you permit specific hosts with --network-allow.

If a dependency deep in that npx tree is compromised, it's boxed in: it can't reach your disk, and it can only talk to the handful of hosts the server actually needs.

Step by step

1. Install the CLI

# macOS / Linux
curl -fsSL https://raw.githubusercontent.com/declaw-ai/declaw-cli/main/install.sh | sh
# or:  go install github.com/declaw-ai/declaw-cli/cmd/declaw@latest

declaw auth login

2. Find your existing MCP server config

A typical unsandboxed entry — the GitHub server, with your token sitting in plain environment:

{
  "mcpServers": {
    "github": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-github"],
      "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_..." }
    }
  }
}

3. Wrap it with declaw mcp

Change command to declaw, and move the original command after a --. Forward only the env var the server needs, and allowlist only the hosts it must reach:

{
  "mcpServers": {
    "github": {
      "command": "declaw",
      "args": [
        "mcp",
        "--env", "GITHUB_PERSONAL_ACCESS_TOKEN",
        "--network-allow", "registry.npmjs.org,api.github.com,github.com,codeload.github.com",
        "--", "npx", "-y", "@modelcontextprotocol/server-github"
      ],
      "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_..." }
    }
  }
}

Same server, same functionality — but the token now only reaches GitHub, and even a compromised dependency can't exfiltrate it anywhere else or touch your machine. Restart your MCP client and the server works exactly as before.

4. Tune it with flags

Flag What it does
-t, --template Sandbox template (default mcp-server — includes Node.js + Python)
--timeout Sandbox timeout in seconds (default 3600)
-e, --env Forward an env var (KEY or KEY=VAL, repeatable)
-f, --file Upload a local file (LOCAL_PATH:REMOTE_PATH, repeatable)
--network-allow Allowed outbound hosts (comma-separated)
-v, --verbose Diagnostic logging to stderr

What to check

Check Why it matters How
Only required env is forwarded Unlisted secrets never enter the sandbox List each with --env; omit everything else
Network is scoped A compromised dep can't beacon out --network-allow only the hosts the server needs
The server still responds Confirms the wrap is transparent Use the MCP tool from your client as usual
Host stays untouched Confirms isolation The server can't read files outside the VM

Limitations to know

  • --env forwards the secret into the sandbox. The token is isolated there — unreadable from your host, and the network scoping stops it leaving for unauthorized hosts — but it does live inside the VM. For secrets that must never enter the VM at all (injected at the egress proxy instead), use the credential vault.
  • This wraps stdio MCP servers — the common local kind.
  • Sandboxes run on Declaw's cloud and require an authenticated API key (declaw auth login).

Next step

Pick the MCP server you're least sure about — the one with the biggest dependency tree and the most sensitive token — and wrap it first. The open-source CLI and the full pattern live at github.com/declaw-ai/mcp-sandbox.

Then tighten the box further: lock down its network egress to the minimum host list, and move its token out of the VM with the credential vault.