Evaluation record ยท mcp-server-box

MCP Box Server

vhosted remote

Box (Official)

MCPfile-storageenterprise-contentdocument-aimcp
76
Strong
About This MCP

Box's official MCP server, a hosted remote at https://mcp.box.com using OAuth 2.0 with admin-managed enablement (Admin Console > Integrations) - the only supported path, as the self-hosted community Python server is deprecated. Tools cover user info, file/folder operations (read, list, search), and Box AI (Q&A across files, metadata extraction) over enterprise content. Mostly read plus AI extraction; permission-scoped to the authorizing user.

Last Evaluated: July 9, 2026
Official Website

Trust Vector Analysis

Dimension Breakdown

๐Ÿš€Performance & Reliability
+
file operation reliability

Operation success rate assessment against the Box Platform API

Evidence
Box Developer Docs - Box MCP server โ€” File and folder read, list, and content operations run on Box's mature content API platform
highVerified: 2026-07-09
search accuracy

Search quality testing

Evidence
Box Search API โ€” Search tools build on Box's full-text and metadata search across the user's accessible content
mediumVerified: 2026-07-09
box ai extraction quality

AI tool output quality review

Evidence
GitHub - box/mcp-server-box-remote โ€” Box AI tools provide Q&A across files and structured metadata extraction; quality depends on document type and the underlying Box AI models
mediumVerified: 2026-07-09
rate limit handling

Rate limiting behavior analysis

Evidence
Box API Rate Limits โ€” Subject to Box per-user API rate limits; Box AI operations have separate capacity constraints
mediumVerified: 2026-07-09
error recovery

Error handling testing

Evidence
Box Developer Docs - Box MCP server โ€” Standard Box API errors (permission, not-found, rate limit) are surfaced to the MCP client
mediumVerified: 2026-07-09
๐Ÿ›ก๏ธSecurity
+
authentication security

Authentication mechanism review

Evidence
GitHub - box/mcp-server-box-remote โ€” OAuth 2.0 with Bearer tokens; client credentials are issued through Box's Admin Console or Developer Console and each user authorizes access individually
highVerified: 2026-07-09
admin access control

Admin governance and enablement review

Evidence
Box Support - Managing Box MCP Servers โ€” MCP access is admin-managed: enterprise admins enable/configure the MCP server from Admin Console > Integrations, create Integration Credentials, and configure scopes such as Content Actions
highVerified: 2026-07-09
content prompt injection resistance

Analysis of document content as a prompt-injection vector into multi-tool agent contexts

Evidence
Box Developer Docs - Box MCP server โ€” The server's core function is feeding enterprise document content and Box AI answers over that content into agent contexts; any file a user can access (including externally shared or collaborator-uploaded documents) is an untrusted-content channel that can carry injected instructions
mediumVerified: 2026-07-09
data modification risk

Write-path and blast-radius assessment of the documented tool set

Evidence
GitHub - box/mcp-server-box-remote โ€” Documented tool categories are user info, file/folder read-list-search operations, and Box AI Q&A/extraction - a mostly read-plus-AI surface with limited destructive write capability
mediumVerified: 2026-07-09
audit logging

Audit logging review

Evidence
Box Events API โ€” Content access via MCP is attributable to the authorizing user in Box enterprise event streams and admin reports
mediumVerified: 2026-07-09
๐Ÿ”’Privacy & Compliance
+
file content exposure

Data flow analysis of content exposure to the model context

Evidence
MCP Data Flow โ€” Enterprise document content - contracts, financials, HR files - retrieved or summarized via MCP tools enters the connected LLM provider's context
highVerified: 2026-07-09
metadata extraction privacy

Assessment of structured extraction over sensitive documents

Evidence
GitHub - box/mcp-server-box-remote โ€” Box AI metadata extraction pulls structured fields (names, dates, amounts) out of documents at scale, concentrating sensitive values into agent-readable form
mediumVerified: 2026-07-09
enterprise data governance

Governance control review

Evidence
Box Support - Managing Box MCP Servers โ€” Access is permission-scoped to the authorizing user and governed by admin-configured scopes; Box's existing enterprise governance (permissions, classifications) applies to what MCP can reach
highVerified: 2026-07-09
third party data sharing

Data sharing analysis

Evidence
LLM Provider Policies โ€” Content retrieved via MCP is processed by the connected LLM provider (Claude, Copilot Studio, ChatGPT, Le Chat) under that provider's privacy policy
highVerified: 2026-07-09
๐Ÿ‘๏ธTrust & Transparency
+
documentation quality

Documentation completeness review

Evidence
Box Developer Docs - Box MCP server โ€” First-party developer guide plus a public GitHub README covering OAuth setup, Admin Console configuration, and per-platform connection examples (Claude, Copilot Studio, Cursor, GitHub Copilot)
highVerified: 2026-07-09
open source transparency

Source availability review

Evidence
GitHub - box/mcp-server-box-remote โ€” The hosted service itself is closed source; the MIT-licensed repo documents it, and the open-source self-hosted alternative (box-community/mcp-server-box) is deprecated for new work
highVerified: 2026-07-09
operation visibility

Logging and traceability assessment

Evidence
Box Events API โ€” Admins can observe MCP-driven content access through Box's enterprise event and reporting surfaces
mediumVerified: 2026-07-09
api coverage clarity

API documentation review

Evidence
GitHub - box/mcp-server-box-remote โ€” Tools are enumerated by functional category (user info, file/folder operations, Box AI), making the capability surface explicit
highVerified: 2026-07-09
โš™๏ธOperational Excellence
+
ease of setup

Setup complexity assessment

Evidence
Box Support - Managing Box MCP Servers โ€” End users cannot simply connect: an enterprise admin must first enable MCP in Admin Console > Integrations and issue Integration Credentials (client ID/secret) before OAuth connection to https://mcp.box.com
highVerified: 2026-07-09
api performance

Performance assessment

Evidence
Box Developer Platform โ€” File operations track Box API latency; Box AI Q&A and extraction calls add model-inference latency
mediumVerified: 2026-07-09
reliability

Reliability analysis

Evidence
Box Status โ€” Hosted on Box's production infrastructure with public status transparency and enterprise uptime track record
highVerified: 2026-07-09
feature coverage

Feature coverage assessment

Evidence
GitHub - box/mcp-server-box-remote โ€” Covers content read/list/search and Box AI; deliberately narrower than the full Box API (limited write, no admin operations)
mediumVerified: 2026-07-09
platform support

Client platform support review

Evidence
Box Developer Docs - Box MCP server โ€” Documented integrations across Copilot Studio, Claude/Claude Code, Mistral Le Chat, ChatGPT, Cursor, GitHub Copilot, and other MCP clients; also listed as a Microsoft connector and on AWS Marketplace
highVerified: 2026-07-09
Strengths
  • +Official Box-hosted remote at https://mcp.box.com with OAuth 2.0 - the single supported path, replacing the deprecated self-hosted Python server
  • +Admin-managed enablement: enterprise admins control activation, credentials, and scopes from Admin Console > Integrations
  • +Mostly read-plus-AI tool surface (user info, file/folder read/list/search, Box AI Q&A and metadata extraction) - limited destructive blast radius
  • +Access is permission-scoped to the authorizing user under Box's existing enterprise governance
  • +Broad documented client support: Copilot Studio, Claude, ChatGPT, Mistral Le Chat, Cursor, GitHub Copilot
  • +MCP-driven access attributable to the user in Box enterprise event streams
Limitations
  • !Prompt-injection-via-content territory: enterprise documents (including externally shared files) flow into agent contexts, so hostile content in any accessible file can carry instructions to a multi-tool agent
  • !Enterprise file content and Box AI extractions are processed by the connected LLM provider
  • !Admin enablement is a prerequisite - individual users cannot self-serve, and setup requires Integration Credentials plus scope configuration
  • !Closed-source hosted service; the deprecated open-source self-hosted server is the only auditable variant
  • !Narrower than the full Box API: limited write operations and no admin/governance tooling
  • !Box AI extraction concentrates sensitive structured values (names, amounts, dates) into agent-readable output
  • !Box AI and per-user API rate limits constrain heavy workloads
Metadata
license: Proprietary (hosted service); documentation repo MIT; deprecated self-hosted server open source
supported platforms
0: Hosted remote (https://mcp.box.com)
1: Any MCP client with HTTP transport and OAuth support
programming languages
0: N/A (hosted service)
mcp version: 1.0
docs: https://developer.box.com/guides/box-mcp/
github repo: https://github.com/box/mcp-server-box-remote
api dependency: Box Platform API, Box AI
authentication: OAuth 2.0 with admin-issued Integration Credentials (client ID/secret); per-user authorization
remote endpoint: https://mcp.box.com
self hosted status: Deprecated - box-community/mcp-server-box (Python) no longer recommended for new work
maintained by: Box
status: Active - hosted remote is the supported path
transport types
0: streamable-http

Use Case Ratings

code generation

Marginal fit; useful mainly for pulling specs and docs stored in Box into coding agents

customer support

Good for grounding answers in policy and product documents stored in Box

content creation

Strong for drafting from existing enterprise documents and asset libraries

data analysis

Box AI metadata extraction turns document sets into structured data for analysis

research assistant

Excellent for Q&A and synthesis across large enterprise document repositories

legal compliance

Strong admin governance, but contract content reaching the LLM provider needs review against matter confidentiality

healthcare

PHI in stored documents routed through agent contexts is high risk despite permission scoping

financial analysis

Good for extracting figures from financial documents; exposure of sensitive numbers to the LLM applies

education

Good for course material Q&A and document-based learning workflows

creative writing

Limited fit beyond referencing source material stored in Box