docker-sandbox-mcp

A Claude Code plugin that runs any Docker MCP Toolkit server inside a Docker Sandbox VM for maximum isolation.

Docker MCP Toolkit runs MCP servers as containers, but those containers share the host Docker daemon and kernel. This plugin redirects the MCP Gateway into a Docker Sandbox VM by setting DOCKER_HOST to the sandbox's Docker socket. The result: MCP server containers run inside a microVM with a separate kernel and deny-by-default networking, adding VM-level isolation on top of container isolation.

Add the marketplace and install the plugin:

/plugin marketplace add devdotbo/docker-sandbox-mcp
/plugin install sandbox-mcp@docker-sandbox-mcp

Or install from a local clone:

git clone https://github.com/devdotbo/docker-sandbox-mcp.git
claude --plugin-dir ./docker-sandbox-mcp/plugins/sandbox-mcp

After installation, tell Claude Code:

> "Set up perplexity-web-mcp in a Docker sandbox"

Or use the command directly:

/sandbox-mcp:setup perplexity-web-mcp:latest pwm-docker perplexity-web-mcp ./docker/perplexity-catalog.yaml --allowed-hosts www.perplexity.ai

The plugin handles sandbox detection, image transfer, network lockdown, and gateway registration.

AI Client (Claude Code, Cursor, Codex, etc.)
     | stdio
     v
Docker MCP Gateway (DOCKER_HOST = sandbox socket)
     | docker run (routed to sandbox Docker daemon)
     v
+------------------------------------------+
| Sandbox microVM                          |
|   MCP Server Container                   |
|     | https (deny-by-default)            |
|     v                                    |
|   allowed-host.com                       |
+------------------------------------------+

The key insight: Docker CLI respects the DOCKER_HOST environment variable. By pointing it at the sandbox VM's Docker socket (~/.docker/sandboxes/vm/<name>/docker.sock), all container operations are transp