𝗧𝗲𝘀𝘁𝗶𝗻𝗴 𝗖𝗮𝗽𝗴𝗮𝘁𝗲 𝗔𝗴𝗮𝗶𝗻𝘀𝘁 𝗗𝗩𝗠𝗖𝗣
I tested my tool, capgate, against ten broken MCP servers in the Damn Vulnerable MCP (DVMCP) project.
DVMCP is a teaching tool. Each server demonstrates a specific attack like prompt injection, token theft, or command injection.
The goal was simple. I wrote an honest manifest for each tool. Then I asked: does the boundary capgate creates actually stop the attack?
The results show exactly what a capability compiler can and cannot do.
𝗪𝗵𝗮𝘁 𝗶𝘁 𝘀𝘁𝗼𝗽𝘀 (𝗧𝗵𝗲 𝗕𝘂𝗹𝗹𝘀𝗲𝘆𝗲) In Challenge 3, a tool has excessive permissions. It claims to read one folder but can actually read the entire disk. The attack tries to steal system credentials from a private folder. capgate stops this. It compiles the manifest into a Docker container that only mounts the allowed folder. The private files do not exist inside the sandbox. The attack fails.
𝗪𝗵𝗮𝘁 𝗶𝘁 𝗰𝗼𝗻𝘁𝗮𝗶𝗻𝘀 (𝗧𝗵𝗲 𝗠𝗶𝗱𝗱𝗹𝗲 𝗚𝗿𝗼𝘂𝗻𝗱) In Challenge 7, a tool leaks an API key. capgate cannot stop the tool from reading the key, but it stops the exfiltration. It creates an egress proxy that only allows connections to one specific host. The attacker cannot send the stolen key to their own server.
In Challenge 8, a tool allows arbitrary shell commands. capgate cannot express "allow any shell" in its grammar. Instead, it boxes the tool. Even if an attacker runs a command, the process has no network, no extra privileges, and a read-only filesystem. The damage is limited.
𝗪𝗵𝗮𝘁 𝗶𝘁 𝗺𝗶𝘀𝘀𝗲𝘀 (𝗧𝗵𝗲 𝗟𝗶𝗺𝗶𝘁𝘀) In Challenge 1, the attack is prompt injection. The attacker tricks the model into ignoring instructions. capgate does nothing here. A sandbox compiler limits what a tool can touch, but it cannot control what an LLM says.
If you think a sandbox stops prompt injection, you are wrong. It only makes prompt injection less useful by capping the damage.
𝗧𝗵𝗲 𝗦𝘂𝗺𝗺𝗮𝗿𝘆 • One clean prevention. • Four meaningful containments. • Three honest misses.
capgate is not a silver bullet. It is one layer of defense. It turns "this server can reach everything" into "this server can reach one specific path."
Optional learning community: https://t.me/GyaanSetuAi