A capability-compiler meets ten deliberately-broken MCP servers. The honest scorecard: it cleanly stops one class, shrinks the blast radius on several, and is useless against another. Knowing which is which is the whole point.
Disclosure: I'm the author of capgate, the Apache-2.0 sandbox compiler this post puts to the test. The DVMCP project and the other tools mentioned aren't mine; the manifests and compiled output are reproducible from the repo.
The setup
Damn Vulnerable MCP (DVMCP) is a teaching project: ten MCP servers, each built to demonstrate one attack — prompt injection, tool poisoning, excessive permission scope, token theft, command injection, and so on. It's the closest thing the ecosystem has to a shared adversarial fixture.
capgate is a compile-time tool. You write a manifest declaring what an MCP server is allowed to do — fs:read:/workspace/**, net:connect:api.github.com:443, nothing else — and it compiles that to a concrete sandbox policy (docker run flags, bwrap argv, or an egress-proxy config). It does not run anything, watch traffic, or inspect the server's code. It turns a declared capability set into an enforced boundary.






