The MCP server exposes zero shell-execution tools — no execute_shell_cmd, no arbitrary code path. The agent physically cannot escape the security boundary defined by the server.
One-liner pull of a prebuilt Windows VMware DFIR lab VM with all tools native (Volatility3, capa, FLOSS, YARA, oletools, Eric Zimmerman, Chainsaw, Hayabusa, Sleuth Kit, RegRipper, AppCompatProcessor) ...