Give Every Agent an Ephemeral Linux Sandbox β via MCP
</a>
Give Every Agent an Ephemeral Linux Sandbox β via MCP
Kilntainers is an MCP server that gives LLM agents isolated Linux sandboxes for executing shell commands.
- π§° Multiple backends: Containers (Docker, Podman), cloud-hosted micro-VMs (Modal, E2B), and WebAssembly sandboxes (WASM BusyBox, or any WASM module).
- ποΈ Isolated per agent: Every agent gets its own dedicated sandbox β no shared state, no cross-contamination.
- π§Ή Ephemeral: Sandboxes live for the duration of the MCP session, then are shut down and cleaned up automatically.
- π Secure by design: The agent communicates with the sandbox over MCP β it doesnβt run inside it. No agent API keys, code, or prompts are exposed to the sandbox.
- π Simple MCP interface: A single MCP tool,
sandbox_exec, lets your agent run any Linux command. - π Scalable: Scale from a few agents on your laptop to thousands running in parallel in the cloud.
Why Kilntainers?
Agents are already excellent at using terminals, and can save thousands of tokens by leveraging common Linux utilities like grep, find, jq, awk, etc. However giving an agent access to the host OS is a security nightmare, and running thousands of parallel agents on a service is painful. Kilntainers gives every agent its own isolated, ephemeral sandbox.
Quick Start
Install and run from CLI:
# install
uv tool install kilntainers
# starts with defaults: stdio MCP server, Docker, and Debian-slim (see options below)
kilntainers
Add to your MCP client (Claude, Cursor, etc.):
{
"mcpServers": {
"kilntainers": {
"command": "kilntainers"
}
}
}
How It Works
βββββββββββββββ MCP ββββββββββββββββ βββββββββββββββββββββββββββ
β LLM Agent ββββββββββΊβ Kilntainers βββββββΊβ Sandboxes β
β (client) β β MCP Server β β - Docker/Podman β
β β β β β - Cloud VM (Modal,E2B) β
β β β β β - WASM Sandbox β
βββββββββββββββ ββββββββββββββββ βββββββββββββββββββββββββββ
- An MCP client connects to Kilntainers
- On the first
sandbox_execcall, Kilntainers creates an isolated sandbox. Each connection gets its own independent sandbox. - Commands run inside the sandbox; stdout, stderr, and exit code are returned
- When the session ends, the sandbox is destroyed and resources are cleaned up.
Security: The agent communicates with the sandbox over MCP β it doesn't run inside it. This is intentional: agents often need secrets (API keys, system prompts, code), and those should never be exposed inside a sandbox where a prompt injection could exfiltrate them.
Agent Isolation & Sandbox Lifecycle: Each MCP connection starts its own isolated sandbox. In streaming HTTP mode, a single MCP server can host many sandboxes in parallel, and exec calls are routed to the sandbox associated with that connection. In stdio mode, the server runs a single sandbox per process. When a connection closes, its sandbox is shut down and deleted.
Backend Examples
See the CLI Reference for all arguments.
Docker and Podman (default)
Local containers via Docker or Podman. Any OCI image works.
kilntainers # Docker + debian-slim (defaults)
kilntainers --image alpine --engine podman # Podman + Alpine
kilntainers --image node:22 --network # Node.js with networking
Cloud Containers & VMs
Modal.com
Hosted containers with sub-second startup via Modal.com. Scales to thousands of parallel sandboxes. Supports GPUs.
kilntain
Tools (1)
sandbox_execExecutes a Linux command within an isolated, ephemeral sandbox environment.Configuration
{"mcpServers": {"kilntainers": {"command": "kilntainers"}}}