superbox.ai
mcp
Warn
Health Warn
- License รขโฌโ License: MIT
- Description รขโฌโ Repository has a description
- Active repo รขโฌโ Last push 0 days ago
- Low visibility รขโฌโ Only 8 GitHub stars
Code Pass
- Code scan รขโฌโ Scanned 12 files during light audit, no dangerous patterns found
Permissions Pass
- Permissions รขโฌโ No dangerous permissions requested
Purpose
This project provides a centralized registry and command-line interface to discover, deploy, and test Model Context Protocol (MCP) servers. It executes these servers in isolated Cloudflare sandbox environments rather than running them directly on your local machine.
Security Assessment
The overall risk is rated as Low. A code scan of 12 files found no hardcoded secrets or dangerous patterns, and the tool does not request excessive local permissions. By design, the architecture deliberately routes network requests to external Cloudflare Workers and utilizes sandboxed execution (Cloudflare Durable Objects) to prevent untrusted code from impacting your local system. While the CLI interacts with external services and configures AI clients locally, it does so using standard, transparent operations without exposing sensitive data.
Quality Assessment
The project is actively maintained, with its most recent updates pushed today. It is backed by a standard MIT license and includes comprehensive documentation and a clear description. However, community trust and visibility are currently very low. With only 8 GitHub stars, the tool is in its early stages, meaning it has not yet been widely battle-tested by a large user base.
Verdict
Safe to use, though you should expect early-project maturity given its low community adoption.
This project provides a centralized registry and command-line interface to discover, deploy, and test Model Context Protocol (MCP) servers. It executes these servers in isolated Cloudflare sandbox environments rather than running them directly on your local machine.
Security Assessment
The overall risk is rated as Low. A code scan of 12 files found no hardcoded secrets or dangerous patterns, and the tool does not request excessive local permissions. By design, the architecture deliberately routes network requests to external Cloudflare Workers and utilizes sandboxed execution (Cloudflare Durable Objects) to prevent untrusted code from impacting your local system. While the CLI interacts with external services and configures AI clients locally, it does so using standard, transparent operations without exposing sensitive data.
Quality Assessment
The project is actively maintained, with its most recent updates pushed today. It is backed by a standard MIT license and includes comprehensive documentation and a clear description. However, community trust and visibility are currently very low. With only 8 GitHub stars, the tool is in its early stages, meaning it has not yet been widely battle-tested by a large user base.
Verdict
Safe to use, though you should expect early-project maturity given its low community adoption.
๐ฆ Discover, deploy, and test MCPs in isolated sandboxes
README.md
_ _
| | (_)
___ _ _ _ __ ___ _ __| |__ _____ __ __ _ _
/ __| | | | '_ \ / _ \ '__| '_ \ / _ \ \/ / / _` | |
\__ \ |_| | |_) | __/ | | |_) | (_) > < | (_| | |
|___/\__,_| .__/ \___|_| |_.__/ \___/_/\_(_)__,_|_|
| |
|_|
๐งฐ SuperBox
SuperBox (inspired by Docker Hub) helps you discover, deploy, and test MCPs in isolated sandboxes ( Demo Video ). It includes:
- A Python (Click) CLI to initialize metadata, run security scans, push to a registry (R2), search, and configure popular AI clients (VS Code, Cursor, Windsurf, Claude, ChatGPT)
- A Golang (Gin) backend to list/get/create MCP servers with optional pricing and security reports
- A Cloudflare Worker + Durable Object executor that runs MCP servers on demand directly from their Git repositories using a lightweight TypeScript interpreter (Cloudflare Workers blocks
eval()and exceeds the WASM bundle size limit, making Pyodide unusable)
Why this project:
- There's no centralized MCP registry to discover all MCPs, and many lack clear usage docs.
- MCPs on our platform pass a 5-step security/quality check (SonarQube, Bandit, GitGuardian) to reduce vulnerabilities and promote best practices.
- Unlike MCPs that run locally on your machine, MCP servers here execute in sandboxed environments and return responses securely.
Key Features
- Central MCP Registry: R2-backed registry with per-server JSON for easy discovery and portability.
- Sandboxed Execution: MCP servers run in Cloudflare Durable Objects and return responses securely. The executor supports
requests-based HTTP tools; seecloudflare/README.mdfor the full scope. - Security Pipeline (5-step): SonarQube, Bandit, and GitGuardian checks with a unified report.
- One-Command Publish:
superbox pushscans, discovers tools, and uploads a unified record to R2. - Client Auto-Config:
superbox pull --client cursor|vscode|...writes correct MCP config pointing to the Cloudflare Worker. - Terminal Runner:
superbox run --name <server>starts an interactive prompt against the Cloudflare executor. - Live Logs:
superbox logs --name <server>shows instructions for streaming logs viawrangler tail. - Tool Discovery: Regex-based discovery across Python code and optional Node
package.jsondefinitions.
๐ Documentation
For complete documentation, setup guides, API references, and CLI usage:
๐ https://superbox.1mindlabs.org/docs
๐ Research Paper
The IEEE research paper for SuperBox is available in the ieee/ directory:
๐๏ธ Project Structure
.
โโโ docs/ # Documentation (INSTALL.md, SETUP.md)
โโโ ieee/ # IEEE research paper (paper.pdf, paper.tex)
โโโ src/
โ โโโ superbox/
โ โโโ cli/ # CLI: init, auth, push, pull, run, search, inspect, test, logs
โ โ โโโ commands/ # CLI subcommands
โ โ โโโ scanners/ # SonarCloud, Bandit, ggshield, tool-discovery
โ โโโ server/ # Golang (Gin) app + handlers
โ โ โโโ handlers/ # servers, payment, auth, health
โ โ โโโ models/ # Request/response types
โ โ โโโ helpers/ # Python R2 helper
โ โ โโโ templates/ # Landing page
โ โโโ shared/ # Config, models, R2/S3-compat utils
โโโ pyproject.toml # Project metadata & dependencies
โโโ Dockerfile # Server container
โโโ docker-compose.yaml # Optional local stack
โโโ tests/ # pytest suite - see tests/README.md
๐ API Reference
The HTTP API provides endpoints for server management, authentication, and payments.
For complete API documentation, see:
https://superbox.1mindlabs.org/docs/api
๐ง CLI Overview
The SuperBox CLI provides commands for authentication, server management, and testing:
Authentication:
superbox auth registerโ Register a new accountsuperbox auth loginโ Log in (email/Google/GitHub)superbox auth logoutโ Log outsuperbox auth statusโ Check authentication statussuperbox auth refreshโ Refresh authentication token
Server Management:
superbox initโ Initialize a new MCP server projectsuperbox pushโ Publish server to registrysuperbox pullโ Download and configure server for AI clientssuperbox searchโ Search for servers in registrysuperbox inspectโ View server details and security reportsuperbox testโ Test server directly from repository (without registry)
Execution & Monitoring:
superbox runโ Run server in interactive modesuperbox logsโ View server execution logs
For detailed CLI documentation and usage examples, see:
https://superbox.1mindlabs.org/docs/cli
๐ฆ Installation
pip install superbox
- PyPI: https://pypi.org/project/superbox
- npm: coming soon
See docs/INSTALL.md for complete installation instructions.
๐ License
This project is licensed under the MIT License.
๐ฅ Authors
Core Contributors:
Acknowledgments:
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found