Secure execution library · MCP-native · AGPL-3.0

Isolated. Audited. Polyglot.
Your agent's execution engine.

sandboxmcp is a modular Python library for secure, isolated code execution. Run Python, Node.js, and shell scripts in sandboxed environments. Zero-egress networking, secret vaults, artifact signing, and immutable audit logs.

Get started View on GitHub
secure_exec.py
from sandboxmcp import SandboxFactory, ExecutionRequest

sandbox = SandboxFactory.default()

result = await sandbox.execute(ExecutionRequest(
    code="print('Hello from the sandbox!')",
    language="python",
))
print(result.stdout)   # "Hello from the sandbox!"
for art in result.artifacts:
    print(art.name, art.sha256)   # artifact hash for verification

from sandboxmcp.mcp_server import SandboxMCPServer
SandboxMCPServer(sandbox).run()
Zero-egressSHA-256 signing
MCP stdio / SSE
Zero-egress default
Docker / Process
23 MCP tools
Python / Node / Shell
Python 3.11+
Features

Everything your agent needs
to execute code safely

Multi-Backend

Two isolation backends: Process (subprocess with OS rlimits / Windows Job Objects) and Docker (OCI containers).

ProcessDocker

Zero-Egress

Default-deny networking. Sandboxed code cannot reach the internet unless you explicitly allowlist a host.

default denyallowlist

Secret Vault

Inject secrets at runtime without exposing them in code or logs. Scoped per-execution and scrubbed from output.

scoped injectionlog scrubbing

Polyglot Runtimes

Execute Python, Node.js, and Shell scripts in the same sandbox infrastructure.

PythonNode.jsShell

Artifact Signing

Every execution result is hashed with SHA-256. Chain-of-custody for every artifact your agent produces.

SHA-256tamper-proof

Immutable Audit

Append-only audit log for every execution. Query by session, time range, or execution ID.

append-onlyqueryable

Backpressure Queue

Bounded execution queue with a configurable concurrency limit, enforced by an async semaphore (max_concurrent).

boundedsemaphore

Resource Guard

Per-execution limits on CPU time, memory, process count, and output size. Enforced at the OS level (rlimit / Job Objects).

CPUmemoryprocesses
How it works

Submit code.
Get verified results.

1

Queue

Execution request enters the backpressure queue.

queue.submit(request)
2

Vault

Secrets are injected into the execution environment.

vault.inject(exec_id, secrets)
3

Isolate

Backend spins up an isolated environment.

backend.create_sandbox(cfg)
4

Execute

Code runs with resource guards active.

sandbox.run(code, runtime)
5

Sign

Outputs hashed with SHA-256.

crypto.sign(result)
6

Audit

Full record appended to immutable log.

audit.append(record)
Measured, not claimed

sandboxmcp vs a raw OS subprocess

Same model, same controls, losses shown as plainly as wins. Every number reproduces from a script with raw JSON in the repo.

Metricsandboxmcpa raw OS subprocess
host-impact escapes contained — raw1 / 5
contained — process backend3 / 5
contained — Docker backend5 / 5
dependencies (process backend)0

Real defense-in-depth with zero dependencies. The process backend stops egress and resource attacks but has no kernel isolation — host file reads/writes leak. The Docker backend contains all of them, verified on the host filesystem. Not an unescapable sandbox: process for trusted code with guardrails, Docker to contain code you don't trust.

See the full benchmark →
Get started in 60 seconds

Ready to give your agent
secure code execution?

Read the docs Star on GitHub