How to run MCP (Model Context Protocol) servers in a sandboxed environment using gVisor — the userspace kernel that powers Google Cloud Run.
Every MCP server you install gets access to:
~/.ssh/id_rsa, ~/.aws/credentials)There's no sandboxing built into MCP. You're trusting the author.
docker run --rm \ --runtime=runsc \ --network none \ --read-only \ --cap-drop ALL \ --security-opt no-new-privileges \ --memory 256m \ --memory-swap 0 \ --cpus 0.5 \ --pids-limit 64 \ --tmpfs /tmp:rw,size=64m \ mcp-audit-target
ptrace() attempts — process inspectionbpf() attempts — eBPF kernel exploitsmount() attempts — filesystem escapeskexec_load() — kernel replacementclone3() — namespace creationWhen gVisor isn't available, we use a strict seccomp profile that blocks 30+ dangerous syscalls.
We've audited 8,764 MCP servers with this sandbox. Results are public.
See Full Methodology → Browse Audited Servers →