[GH-ISSUE #4635] my AnythingLLM MCP Bridge & Prompt Injector docker only #2944

Closed
opened 2026-02-22 18:31:58 -05:00 by yindo · 2 comments
Owner

Originally created by @danny094 on GitHub (Nov 10, 2025).
Original GitHub issue: https://github.com/Mintplex-Labs/anything-llm/issues/4635

I previously suggested an idea for integrating Docker and MCP into Anything via a bridge. Now I've finally done it.

MCP Bridge & Prompt Injector (Danny)

Hello — I'm Danny, a solo developer, hobbyist dev, and security fanatic. This project provides a secure, Docker-friendly bridge for AnythingLLM, enabling the use of MCP (Model Context Protocol) tools across Docker networks — without granting Docker itself permission to start other containers.

Why this project?

AnythingLLM has a problem: Containers cannot (safely) start other containers. This breaks MCP workflows in isolated Docker setups. Instead of granting Docker additional privileges (which violates the security assumptions of containers), I built a different solution—an MCP bridge + prompt injector architecture. In short: I wanted to maintain control and security—and still be able to call tools (time, weather, docs, etc.) from within AnythingLLM.

Architecture (in brief)

bridge – a dummy MCP that acts as a target for AnythingLLM and forwards calls to real MCP services.
prompt-injector – central control center. Decides whether a tool is needed, injects system prompts, sanitizes input (security layer), and calls the MCP Hub if necessary.
MCP Hub – directory containing the available MCP tools (e.g., time, weather, docs), typically accessible as separate Docker containers.
Main Principles

No elevation of Docker privileges: no docker.sock mount, no DinD.
Security-first: Input sanitizer, tool access control, and audit logger.
Modular: simply add new MCP containers to the TOOLS map.
Example configuration (prompt rules)

SYSTEM_PROMPT = """
You are a precise AI assistant with access to tools (MCP).
Behave as follows:
1️⃣ If you can answer the query directly (explanation, opinion, knowledge, small talk),
respond immediately, of course, in text form.
2️⃣ If a tool is needed (time, weather, documents, external data),
return only JSON in the format:
{"action": "mcp_call", "tool": "<toolname>", "query": "<user question>"}
3️⃣ Do not answer philosophical or open-ended questions with tool calls.
4️⃣ Do not return a JSON structure if no tool is required.
"""

Prompt Injector — Core Functions (Short)

  • ask_deepseek(user_prompt: str) — sends the message to the model with the system prompt and temperature.
    -call_mcp_tool(tool: str, query: str) — constructs a JSON-RPC and calls MCP_HUB_URL/{tool}, parses the -----response, and returns the content.
    -sanitize_input(prompt: str) — filters dangerous payloads such as rm -rf, sudo, curl, API keys, etc.
    -ALLOWED_TOOLS — list of allowed tools (e.g., ["time","docs","search"]).

-MCP Hub — Example

TOOLS = {
    "time": "http://mcp-time:4210/",
    "weather": "http://mcp-weather:4220/",
    "docs": "http://mcp-docs:4230/"
}

time This works as a demo; the others are placeholders — simply enter the new MCP container there.

##Data & Context
prompt-injector/data/memory.db – Simple context database (currently: 10 entries) to ensure that subsequent queries for MCP calls remain context-sensitive.

TODO / Roadmap
-Complete implementation of Decision Rules (an agent that decides in advance whether an MCP call is necessary).
-Expand the audit logger (who made which request).
-Add more unit tests and sample MCPs (weather, docs).
-Optional authentication/user management for shared operation (family).

Security Notes
This architecture deliberately avoids docker.sock mounts.
Nevertheless: MCP services are web endpoints — be mindful of network access and secure your internal network (e.g., Docker Network ACLs, internal firewalls).

Participation / Usage

Clone the repository
Run docker compose up (Note: create external networks like danny_ai-net if necessary, or set external: true)
Adjust TOOLS and SYSTEM_PROMPT to your needs.
Check prompt-injector/ for sanitizer, ALLOWED_TOOLS, and memory configuration.

Image Image Image Image
Originally created by @danny094 on GitHub (Nov 10, 2025). Original GitHub issue: https://github.com/Mintplex-Labs/anything-llm/issues/4635 I previously suggested an idea for integrating Docker and MCP into Anything via a bridge. Now I've finally done it. MCP Bridge & Prompt Injector (Danny) Hello — I'm Danny, a solo developer, hobbyist dev, and security fanatic. This project provides a secure, Docker-friendly bridge for AnythingLLM, enabling the use of MCP (Model Context Protocol) tools across Docker networks — without granting Docker itself permission to start other containers. Why this project? AnythingLLM has a problem: Containers cannot (safely) start other containers. This breaks MCP workflows in isolated Docker setups. Instead of granting Docker additional privileges (which violates the security assumptions of containers), I built a different solution—an MCP bridge + prompt injector architecture. In short: I wanted to maintain control and security—and still be able to call tools (time, weather, docs, etc.) from within AnythingLLM. Architecture (in brief) bridge – a dummy MCP that acts as a target for AnythingLLM and forwards calls to real MCP services. prompt-injector – central control center. Decides whether a tool is needed, injects system prompts, sanitizes input (security layer), and calls the MCP Hub if necessary. MCP Hub – directory containing the available MCP tools (e.g., time, weather, docs), typically accessible as separate Docker containers. Main Principles No elevation of Docker privileges: no docker.sock mount, no DinD. Security-first: Input sanitizer, tool access control, and audit logger. Modular: simply add new MCP containers to the TOOLS map. Example configuration (prompt rules) ``` SYSTEM_PROMPT = """ You are a precise AI assistant with access to tools (MCP). Behave as follows: 1️⃣ If you can answer the query directly (explanation, opinion, knowledge, small talk), respond immediately, of course, in text form. 2️⃣ If a tool is needed (time, weather, documents, external data), return only JSON in the format: {"action": "mcp_call", "tool": "<toolname>", "query": "<user question>"} 3️⃣ Do not answer philosophical or open-ended questions with tool calls. 4️⃣ Do not return a JSON structure if no tool is required. """ ``` Prompt Injector — Core Functions (Short) - ask_deepseek(user_prompt: str) — sends the message to the model with the system prompt and temperature. -call_mcp_tool(tool: str, query: str) — constructs a JSON-RPC and calls MCP_HUB_URL/{tool}, parses the -----response, and returns the content. -sanitize_input(prompt: str) — filters dangerous payloads such as rm -rf, sudo, curl, API keys, etc. -ALLOWED_TOOLS — list of allowed tools (e.g., ["time","docs","search"]). -MCP Hub — Example ``` TOOLS = { "time": "http://mcp-time:4210/", "weather": "http://mcp-weather:4220/", "docs": "http://mcp-docs:4230/" } ``` time This works as a demo; the others are placeholders — simply enter the new MCP container there. ##Data & Context prompt-injector/data/memory.db – Simple context database (currently: 10 entries) to ensure that subsequent queries for MCP calls remain context-sensitive. TODO / Roadmap -Complete implementation of Decision Rules (an agent that decides in advance whether an MCP call is necessary). -Expand the audit logger (who made which request). -Add more unit tests and sample MCPs (weather, docs). -Optional authentication/user management for shared operation (family). Security Notes This architecture deliberately avoids docker.sock mounts. Nevertheless: MCP services are web endpoints — be mindful of network access and secure your internal network (e.g., Docker Network ACLs, internal firewalls). -- Participation / Usage Clone the repository Run docker compose up (Note: create external networks like danny_ai-net if necessary, or set external: true) Adjust TOOLS and SYSTEM_PROMPT to your needs. Check prompt-injector/ for sanitizer, ALLOWED_TOOLS, and memory configuration. <img width="814" height="988" alt="Image" src="https://github.com/user-attachments/assets/bc766e20-400e-4001-87e8-3f1c32a1ece1" /> <img width="1472" height="505" alt="Image" src="https://github.com/user-attachments/assets/e78b9301-cc89-42b2-bfb4-456b16cd7146" /> <img width="934" height="454" alt="Image" src="https://github.com/user-attachments/assets/a500e6e6-b2a9-44bd-bf7b-25d75f28c684" /> <img width="1557" height="655" alt="Image" src="https://github.com/user-attachments/assets/63514918-07cf-40c0-941a-6d49df611dc6" />
yindo closed this issue 2026-02-22 18:31:58 -05:00
Author
Owner

@danny094 commented on GitHub (Nov 10, 2025):

If the developers and users are interested in testing it,

here are the instructions.

And more detailed information as well.
Since everything runs via Docker, and Anythingllm doesn't need to be modified, it can't be broken.

https://github.com/danny094/mcp-docker-server-anythingllm/blob/main/installation.md

@danny094 commented on GitHub (Nov 10, 2025): If the developers and users are interested in testing it, here are the instructions. And more detailed information as well. Since everything runs via Docker, and Anythingllm doesn't need to be modified, it can't be broken. https://github.com/danny094/mcp-docker-server-anythingllm/blob/main/installation.md
Author
Owner

@timothycarambat commented on GitHub (Nov 12, 2025):

This is not the place to promote things! We use Github for feature requests and issue tracking. Stuff like this should go in Discord!

@timothycarambat commented on GitHub (Nov 12, 2025): This is not the place to promote things! We use Github for feature requests and issue tracking. Stuff like this should go in Discord!
yindo changed title from my AnythingLLM MCP Bridge & Prompt Injector docker only to [GH-ISSUE #4635] my AnythingLLM MCP Bridge & Prompt Injector docker only 2026-06-05 14:49:26 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Mintplex-Labs/anything-llm#2944