💡 [FEAT] - Containerisation from MCPs themselves or from MCPStack pipeline's.run(.) itself / Security-related #1
Description
Before Submitting
- I have checked if this feature already exists or has been requested.
Feature Description
Important
@renato-umeton from @mit raised an interesting concern and hence we open this thread to keep track of things on this matter.
Caution
In a nutshell, a recent “Prompt Injection Meets MCP: A New Exploitation Vector Emerging?” (Snyk, July 31 2025) details how prompt injection can be leveraged to trigger remote code execution (e.g. appending ;whoami) via the aws-mcp-server in tools like Cursor. Further academic sources underscore this risk as well:
- MCPSecBench: A Systematic Security Benchmark and Playground for Testing Model Context Protocols (arXiv, August 2025)
- MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits (arXiv, April 2025)
- MPMA: Preference Manipulation Attack Against Model Context Protocol (arXiv, May 2025)
- Studying the Security and Maintainability of MCP Servers (arXiv, June 2025)
As a result, many parties work on the problem, for instance Salesforce AI Research explores defenses against prompt injection in enterprise LLM-enabled CRM systems through the development of classifiers and heuristic methods to detect malicious prompts (“Prompt Injection Detection: Securing AI Systems Against Malicious Actors” (March 4, 2025)).
However, the simplest first solution to the problem is first to containerized everything so that things are encapsulated into a specific scope and can't easily get to places it should be going.
MCPStack should as a result focus attention on this MCPs leakage matter. Either via an extra-component required while designing a MCPStack MCP tool or via the outputted MCPStack Pipeline following its creation.
Proposed Solution
Two ways of exploration to whoever wanna take on the adventure:
- Try containerize the overall MCPStack Pipeline's
.run(.); try with and without see how it differs in what's possible to be dodgy with and how the LLM reacts. However, this come with the potential downside that it won't be containerised in Claude Desktop as the.run(.)is for STDIO-based output, this is the.run(.)of FastMCP. - Try containerising each MCPStack MCP-supported tools themselves, which solves the downside of above but requires that the design required to dev one MCPStack-MCP tool is extended.
Both of the above need to be explored, IMHO.
Examples or References
None as of my little knowledge on the matter, but anyone knowing potential libraries working on the matter is highly welcomed to put those links in comments below — I'll surely update the Issue 💪
Willing to Contribute?
Yes
Roadmap Alignment
Technical Enhancements
Other Roadmap Alignment
No response