filesystem-mcp
The reference MCP server for read/write access to a configured directory. Part of the modelcontextprotocol/servers monorepo. Default 'agent can touch my files' tool.
Default for any agent that needs to read or write a directory you nominate. Scope it tight — never point at $HOME.
What it does
Exposes filesystem operations as MCP tools. The agent gets read_file, write_file, edit_file (with diff-style patches), list_directory, search_files, move_file, create_directory, and get_file_info. All operations are scoped to a list of allowed directories you pass at launch.
When you actually need it
Any time an agent needs to touch real files. The most common pattern: point it at a single project folder, let the agent read code or docs, and (with human-approval gates on writes) let it draft small edits.
Setup
# Claude Desktop (config.json under "mcpServers")
"filesystem": {
"command": "npx",
"args": [
"-y",
"@modelcontextprotocol/server-filesystem",
"/Users/you/code/your-repo"
]
}
Pass one path. Pass two paths if you need it. Don’t pass / and don’t pass $HOME. Each path becomes a separately-scoped read/write zone.
The catch
write_file, edit_file, move_file and the path-creating tools are all on by default. That’s the right call — most agents need them — but it means the blast radius equals “everything writeable under the allow-list.” Two mitigations: scope tighter than you think (one repo subfolder, not the whole monorepo), and use a host that gates destructive tool calls behind explicit approval (Claude Desktop does this for any tool the agent flags as having side effects — but you can also enforce per-call approval globally in host settings).
For agents running unsupervised (cron, headless), don’t grant write at all. Run with read-only by giving the agent a read-only-fs wrapper or by using a separate filesystem MCP fork that drops write tools.
What’s in the monorepo
filesystem-mcp lives in modelcontextprotocol/servers alongside postgres-mcp, slack-mcp, and ~20 other reference MCPs. The repo’s overall star count (~85k) is shared across all of them — see the scorecard below for what we measure per package vs per repo.
FOR: Local file operations on a tightly-scoped allow-list of directories.
Use it. Scope the allow-list to one repo subfolder, not $HOME. For unsupervised agents, drop write tools entirely (fork or wrap); for supervised agents, configure your host to gate destructive calls with explicit approval.
Maintained by Anthropic and the modelcontextprotocol working group.
Inherited from the modelcontextprotocol/servers monorepo.
PRs go through the modelcontextprotocol org; public review history.
Server itself stores no secrets. If your agent reads a file containing a secret, that secret enters the LLM context — that's your prompt's problem, not the server's.
Runs as subprocess of the MCP host. The path allow-list is enforced inside the server process itself.
Hard-scoped at server launch via the allow-list paths. The server refuses operations on paths outside the list.
No shell tools exposed.
Pure filesystem — no network calls.
Filesystem doesn't authenticate.
By default the server exposes read AND write AND delete tools. You'd need a fork or a wrapper to ship a read-only mode.
File contents the agent reads can contain hostile instructions. Treat all read output as untrusted text — particularly README.md, code comments, and any data file under attacker influence.
Small JS dep tree. Direct deps are MCP SDK, glob matcher, and a few Node-native modules.
No active CVEs at last scan.
No rate limits — purely local I/O.
npm package published with provenance attestations.
Anthropic's monorepo policy applies; private vulnerability reporting via Security tab.
Files stay on your machine. Only the agent's reads enter the LLM context (over whatever transport you've configured).
No persisted credentials.
4 present · human approval optional
write_fileedit_filemove_filecreate_directory
NOT A FORMAL SECURITY AUDIT · Adoption posture based on public-source review · See methodology for what's measured and what isn't