[jovezhong]

most of the MCP tools use Python env (uvx) or Node or even Java to run ANY CODE on your machine, so even the python virtual env is a sandbox but it's to isolate the dependencies not the file/network access. If you are unlucky, you can still install a malware mcp server to clean up your disk or send your photos to somewhere. MCP servers are just local scripts. There are some permission control from deno but this is not the only runtime engine for MCP server. It'll be cool to have something like Chrome extension permission or iOS/Android permission ask, but I highly doubt this will be available since on your local server, there are just too many ways to run scripts.

[nsonha]

> virtual env is a sandbox

That's not what a sandbox means. PATH enhancement for dependency management is... dependency management, has nothing for security.

> Too many ways to run scripts.

Which is why you need a tool, and not "just" run MCP. Not that hard to run in docker and configure volume mount/ports though.

[jovezhong]

Running a mcp tool is expected to be lightweight. Starting a docker container is not impossible but will make this process a bit heavy. Maybe in the future the MCP client can provide python/nodejs runtime and also have extra flag to allow the users to confirm the requested permissions for certain mcp tools. Today running MCP servers with whatever executable available locally is too risky