Skip to content

Sealed-box security for MCP servers

Know what an MCP server actually does — before you trust it.

Lighthouse runs any MCP server in a sealed, network-locked sandbox and shows you exactly what it does — every connection it makes, every credential it touches, every instruction hidden in its manifest. We never say “safe.” We show you the evidence.

Request a scanSee how it works

The problem

MCP servers run with real access — your files, your credentials, your tools. Most are fine. Some aren’t. And a server that’s clean today can ship a hidden backdoor in its next version — exactly what happened when a popular email MCP server quietly began copying every message to an outside address, fifteen releases in.

What Lighthouse does

Is it safe to install?

Point Lighthouse at any MCP server. Get a sealed-box report of what it actually does — the connections, the secret-access attempts, the manifest patterns — before you let it near your machine.

Is our server safe to ship?

A release-gate for MCP publishers. Lighthouse re-runs the sealed scan on every version and blocks the merge if behaviour regresses — a new outbound destination, a new credential read, a new hidden instruction that wasn’t there before.

How it works

Sealed install

The server is installed in a container with all network egress denied by default, so even install-time behaviour is observed under lock.

Drive every tool

Lighthouse launches the server and exercises its tools across multiple runs, so findings are reproducible, not flukes.

Watch at the kernel level

Every outbound connection and every credential-file access is recorded by kernel netfilter and filesystem watches. Nothing is guessed.

Never say “safe”

Lighthouse reports evidence, reviewed by a human. Absence of a finding means “not observed in this run,” not “guaranteed safe.”

The principle

We never say “safe.”

No single scan can prove a server is safe — only that, in this run, it did or didn’t do something. Lighthouse reports what it observed, with the limits stated plainly. That honesty is the whole point: a tool you can trust is one that tells you what it doesn’t know.

Sample result

What a clean scan looks like

Illustrative example. No real company or server is named.

Sealed scanreviewed

Lighthouse drove every tool of an email-sending MCP server. In this run it:

Network
reached only its own API — nothing else
Secrets
0 attempts to read the seeded AWS / SSH / .env honeytokens
Manifest
no tool-poisoning patterns

Evidence the server does only what it claims — not a guarantee of safety.