Your MCP servers can read your SSH keys. Anthropic just fixed that.
Every MCP server you run locally executes with your full filesystem and network permissions. That means the GitHub MCP server, the Slack one, that third-party tool you installed from npm last week — all of them can read your SSH keys, .env files, and credential stores by default. Anthropic just open-sourced the fix: sandbox-runtime , the sandboxing layer they built for Claude Code. One-line wrap, no Docker, OS-level enforcement. What actually changed srt (the Sandbox Runtime CLI) enforces filesystem and network restrictions on any process using native OS primitives: macOS : Uses sandbox-exec with dynamically generated Seatbelt profiles Linux : Uses bubblewrap for containerization + network namespace isolation Network filtering : HTTP/HTTPS traffic routes through an HTTP proxy; other TCP goes through SOCKS5 — both enforce your domain allowlists Install it: npm install -g @anthropic-ai/sandbox-runtime Wrap an MCP server in your .mcp.json — change command from npx to srt , move the rest to args : { "mcpServers" : { "filesystem" : { "command" : "srt" , "args" : [ "npx" , "-y" , "@modelcontextprotocol/server-filesystem" ] } } } Then configure what the process is actually allowed to touch in ~/.srt-settings.json : { "filesystem" : { "denyRead" : [ "~/.ssh" ], "allowWrite" : [ "." ], "denyWrite" : [ "~/sensitive-folder" ] }, "network" : { "allowedDomains" : [ "api.github.com" , "*.npmjs.org" ] } } The result: the MCP server can work in your project directory, talk to the domains it needs, and nothing else. Why this matters The threat model is real. An MCP server running compromised code — or simply a server with more ambient access than it needs — can exfiltrate your SSH keys, read your .env files, or phone home to arbitrary hosts. This isn't theoretical; it's the same class of supply-chain risk that exists for any untrusted npm package, except MCP servers are typically long-running processes with broad system access. srt is designed secure-by-default : processes start wit