Claude Desktop launches mcp servers from /. This is problematic with the default mcp-repl sandbox configuration of workspace-write, since it causes the sandbox to treat / as the workspace root and gives the repl process broad write permissions.
One possible solution: add guardrails to mcp-repl to reject / or ~ as workspace roots with workspace-write, and fall back to read-only when they are encountered. It might also make sense to fall back to read-only if there is not a .git directory in a project.
Source: #28
Claude Desktop launches mcp servers from
/. This is problematic with the defaultmcp-replsandbox configuration ofworkspace-write, since it causes the sandbox to treat/as the workspace root and gives the repl process broad write permissions.One possible solution: add guardrails to
mcp-replto reject/or~as workspace roots withworkspace-write, and fall back toread-onlywhen they are encountered. It might also make sense to fall back toread-onlyif there is not a.gitdirectory in a project.Source: #28