Sunday, May 31, 2026AboutContactDisclaimerAdvertiseNewsletterWrite for Us
Subscribe Free
Home
LIVE
Back to Home
Your MCP servers can read your SSH keys. Anthropic just fixed that.
Programming

Your MCP servers can read your SSH keys. Anthropic just fixed that.

B
Blizine Admin
·2 min read·0 views

Andrew Kew Posted on May 31 Your MCP servers can read your SSH keys. Anthropic just fixed that. # ai # security # api # developer Every MCP server you run locally executes with your full filesystem and network permissions. That means the GitHub MCP server, the Slack one, that third-party tool you installed from npm last week — all of them can read your SSH keys, .env files, and credential stores by default. Anthropic just open-sourced the fix: sandbox-runtime , the sandboxing layer they built for Claude Code. One-line wrap, no Docker, OS-level enforcement. What actually changed srt (the Sandbox Runtime CLI) enforces filesystem and network restrictions on any process using native OS primitives: macOS : Uses sandbox-exec with dynamically generated Seatbelt profiles Linux : Uses bubblewrap for containerization + network namespace isolation Network filtering : HTTP/HTTPS traffic routes through an HTTP proxy; other TCP goes through SOCKS5 — both enforce your domain allowlists Install it: npm install -g @anthropic-ai/sandbox-runtime Enter fullscreen mode Exit fullscreen mode Wrap an MCP server in your .mcp.json — change command from npx to srt , move the rest to args : { "mcpServers" : { "filesystem" : { "command" : "srt" , "args" : [ "npx" , "-y" , "@modelcontextprotocol/server-filesystem" ] } } } Enter fullscreen mode Exit fullscreen mode Then configure what the process is actually allowed to touch in ~/.srt-settings.json : { "filesystem" : { "denyRead" : [ "~/.ssh" ], "allowWrite" : [ "." ], "denyWrite" : [ "~/sensitive-folder" ] }, "network" : { "allowedDomains" : [ "api.github.com" , "*.npmjs.org" ] } } Enter fullscreen mode Exit fullscreen mode The result: the MCP server can work in your project directory, talk to the domains it needs, and nothing else. Why this matters The threat model is real. An MCP server running compromised code — or simply a server with more ambient access than it needs — can exfiltrate your SSH keys, read your .env files, or phone home to arb

📰Dev.to — dev.to

B
Blizine Admin

Staff Writer

View Profile

Related Articles

Day 23 of 60: Someone Asked Me a Question on Day 3. I Put It on My Build List. Today I Shipped the Answer.

May 31, 2026·2 min read

The Illusion of Scale, Part 4: Latency Is a Design Decision, Not a Measurement

May 31, 2026·2 min read

First Post: A Little Biography

May 31, 2026·2 min read

Comments