概要
What is Deno Sandbox MCP Server?
An MCP server that allows you to run TypeScript, JavaScript, and Python code in a local sandbox using the Deno® runtime. It enforces explicit permission controls (e.g., which websites to visit, which files to read/write) to protect your machine from untrusted code, especially when code is generated by LLMs.
How to use Deno Sandbox MCP Server?
Install Node.js or Deno. Add the server to your client’s configuration (e.g., claude_desktop_config.json) using either deno run npm:mcp-deno-sandbox or npx mcp-deno-sandbox, passing permission flags like --allow-net=icanhazip.com,example.com at startup. Permissions are static and require a server restart to change.
Key features of Deno Sandbox MCP Server
- Runs TypeScript, JavaScript, and Python code locally.
- Uses Deno’s Chrome-based sandbox technology.
- Configurable read, write, and network permissions.
- Deny access to specific files or IP addresses.
- Python execution via Pyodide inside the Deno sandbox.
- Minimal codebase designed for auditability.
Use cases of Deno Sandbox MCP Server
- Let an LLM test generated code without risking your system.
- Summarise documents that may contain hidden prompt injections.
- Run untrusted scripts in a restricted file and network sandbox.
- Process isolated files (e.g., in
/tmp) with limited permissions. - Experiment with multi-language code without installing runtimes.
FAQ from Deno Sandbox MCP Server
What languages can I run in the sandbox?
TypeScript, JavaScript, and Python. Python runs via Pyodide inside the Deno environment.
How do I set permissions?
Permissions are passed as command-line arguments when starting the server (e.g., --allow-read=/tmp, --allow-net=example.com). They are the same as Deno permissions; you cannot change them without restarting the server.
Is this project affiliated with Deno Land LLC?
No. “Deno” is a registered trademark of Deno Land LLC. This project is an independent fan creation.
What are the known Python limitations?
Writing files with open(PATH, 'w') does not work; use import js; js.fs.writeFileSync(PATH, CONTENT) instead. When using --allow-read broadly, the server guesses which directories to mount into Pyodide (home and /tmp). Windows mounting may have issues.
How does the sandbox protect against malicious code?
It uses Deno’s sandbox, which relies on Chrome’s isolation technology. You control file, network, and execution permissions. Granting write access to the server’s config file or blanket FFI/execution permissions can completely undermine the sandbox.