MCP Box Server
vhosted remoteBox (Official)
Box's official MCP server, a hosted remote at https://mcp.box.com using OAuth 2.0 with admin-managed enablement (Admin Console > Integrations) - the only supported path, as the self-hosted community Python server is deprecated. Tools cover user info, file/folder operations (read, list, search), and Box AI (Q&A across files, metadata extraction) over enterprise content. Mostly read plus AI extraction; permission-scoped to the authorizing user.
Trust Vector Analysis
Dimension Breakdown
๐Performance & Reliability+
Operation success rate assessment against the Box Platform API
Search quality testing
AI tool output quality review
Rate limiting behavior analysis
Error handling testing
๐ก๏ธSecurity+
Authentication mechanism review
Admin governance and enablement review
Analysis of document content as a prompt-injection vector into multi-tool agent contexts
Write-path and blast-radius assessment of the documented tool set
Audit logging review
๐Privacy & Compliance+
Data flow analysis of content exposure to the model context
Assessment of structured extraction over sensitive documents
Governance control review
Data sharing analysis
๐๏ธTrust & Transparency+
Documentation completeness review
Source availability review
Logging and traceability assessment
API documentation review
โ๏ธOperational Excellence+
Setup complexity assessment
Performance assessment
Reliability analysis
Feature coverage assessment
Client platform support review
- +Official Box-hosted remote at https://mcp.box.com with OAuth 2.0 - the single supported path, replacing the deprecated self-hosted Python server
- +Admin-managed enablement: enterprise admins control activation, credentials, and scopes from Admin Console > Integrations
- +Mostly read-plus-AI tool surface (user info, file/folder read/list/search, Box AI Q&A and metadata extraction) - limited destructive blast radius
- +Access is permission-scoped to the authorizing user under Box's existing enterprise governance
- +Broad documented client support: Copilot Studio, Claude, ChatGPT, Mistral Le Chat, Cursor, GitHub Copilot
- +MCP-driven access attributable to the user in Box enterprise event streams
- !Prompt-injection-via-content territory: enterprise documents (including externally shared files) flow into agent contexts, so hostile content in any accessible file can carry instructions to a multi-tool agent
- !Enterprise file content and Box AI extractions are processed by the connected LLM provider
- !Admin enablement is a prerequisite - individual users cannot self-serve, and setup requires Integration Credentials plus scope configuration
- !Closed-source hosted service; the deprecated open-source self-hosted server is the only auditable variant
- !Narrower than the full Box API: limited write operations and no admin/governance tooling
- !Box AI extraction concentrates sensitive structured values (names, amounts, dates) into agent-readable output
- !Box AI and per-user API rate limits constrain heavy workloads
Use Case Ratings
code generation
Marginal fit; useful mainly for pulling specs and docs stored in Box into coding agents
customer support
Good for grounding answers in policy and product documents stored in Box
content creation
Strong for drafting from existing enterprise documents and asset libraries
data analysis
Box AI metadata extraction turns document sets into structured data for analysis
research assistant
Excellent for Q&A and synthesis across large enterprise document repositories
legal compliance
Strong admin governance, but contract content reaching the LLM provider needs review against matter confidentiality
healthcare
PHI in stored documents routed through agent contexts is high risk despite permission scoping
financial analysis
Good for extracting figures from financial documents; exposure of sensitive numbers to the LLM applies
education
Good for course material Q&A and document-based learning workflows
creative writing
Limited fit beyond referencing source material stored in Box