Code execution with MCP

[ltcompounder]

Pre-submission Checklist

• I have checked that this question would not be more appropriate as an issue in a specific repository
• I have searched existing discussions and documentation for answers

Question Category

• Protocol Specification
• SDK Usage
• Server Implementation
• General Implementation
• Documentation
• Other

Your Question

Read this article: Code Execution With MCP

I thought that this was a great solution to agent context overload, agent discovers tools by exploring the file system. However as I was trying to implement this myself, I realized that this solution has security considerations that need to be taken into account. For instance, a malicious user could perform prompt injection to read sensitive files or even modify permissions.

Are there best practices for how to implement code execution with MCP? Treat me like a naive developer, because I am one.

[olaservo]

Hi @ltcompounder , there is a discussion here that should help point towards examples: modelcontextprotocol/modelcontextprotocol#1780

[ltcompounder]

hi @olaservo, thanks for the resource. i read the discussion and saw that you did a demo repo for code execution, will run through that. however it seems like there are a few concerns about security and PII exposure being brought up but with no direct follow ups so i'm guessing this is still unclear as to how the community should go about this?

[olaservo]

@ltcompounder my own experiments don't include built-in sandboxing, but some of the other implementations shared in the discussion include examples of securing the environment.

[olaservo]

(Closing as duplicate of linked discussion)

[abhigyan17]

Even though this discussion is marked as answered, I think it's worth highlighting the security implications here. Code execution capabilities in MCP are powerful but require careful threat modeling. The key is ensuring you understand the trust boundary and who has the ability to invoke code execution.

In production deployments, I'd recommend implementing strict ACLs on who can invoke code execution capabilities, require cryptographic signatures for sensitive commands, and implement comprehensive audit logging. Also consider running code execution in isolated containers or sandboxes to limit the blast radius if a breach occurs.

For threat modeling purposes, treat code execution capabilities the same way you'd treat shell access - assume it's a high-value target for attackers and protect it accordingly.