DEV

filesystem-mcp

The reference MCP server for read/write access to a configured directory. Part of the modelcontextprotocol/servers monorepo. Default 'agent can touch my files' tool.

Alive Recommended REVIEWED 2026-05-07
VERDICT

Default for any agent that needs to read or write a directory you nominate. Scope it tight — never point at $HOME.

What it does

Exposes filesystem operations as MCP tools. The agent gets read_file, write_file, edit_file (with diff-style patches), list_directory, search_files, move_file, create_directory, and get_file_info. All operations are scoped to a list of allowed directories you pass at launch.

When you actually need it

Any time an agent needs to touch real files. The most common pattern: point it at a single project folder, let the agent read code or docs, and (with human-approval gates on writes) let it draft small edits.

Setup

# Claude Desktop (config.json under "mcpServers")
"filesystem": {
  "command": "npx",
  "args": [
    "-y",
    "@modelcontextprotocol/server-filesystem",
    "/Users/you/code/your-repo"
  ]
}

Pass one path. Pass two paths if you need it. Don’t pass / and don’t pass $HOME. Each path becomes a separately-scoped read/write zone.

The catch

write_file, edit_file, move_file and the path-creating tools are all on by default. That’s the right call — most agents need them — but it means the blast radius equals “everything writeable under the allow-list.” Two mitigations: scope tighter than you think (one repo subfolder, not the whole monorepo), and use a host that gates destructive tool calls behind explicit approval (Claude Desktop does this for any tool the agent flags as having side effects — but you can also enforce per-call approval globally in host settings).

For agents running unsupervised (cron, headless), don’t grant write at all. Run with read-only by giving the agent a read-only-fs wrapper or by using a separate filesystem MCP fork that drops write tools.

What’s in the monorepo

filesystem-mcp lives in modelcontextprotocol/servers alongside postgres-mcp, slack-mcp, and ~20 other reference MCPs. The repo’s overall star count (~85k) is shared across all of them — see the scorecard below for what we measure per package vs per repo.

▸ MCP SECURITY SCORECARD Methodology v1.0 · Confidence HIGH · Reviewed 2026-05-07 · Next review due 2026-08-07
METHODOLOGY ↗
ADOPT WITH LIMITS

FOR: Local file operations on a tightly-scoped allow-list of directories.

Use it. Scope the allow-list to one repo subfolder, not $HOME. For unsupervised agents, drop write tools entirely (fork or wrap); for supervised agents, configure your host to gate destructive calls with explicit approval.

Maintainer corp

Maintained by Anthropic and the modelcontextprotocol working group.

Licence MIT

Inherited from the modelcontextprotocol/servers monorepo.

Code review yes

PRs go through the modelcontextprotocol org; public review history.

Secrets handling scoped

Server itself stores no secrets. If your agent reads a file containing a secret, that secret enters the LLM context — that's your prompt's problem, not the server's.

Sandbox process

Runs as subprocess of the MCP host. The path allow-list is enforced inside the server process itself.

Filesystem access scoped

Hard-scoped at server launch via the allow-list paths. The server refuses operations on paths outside the list.

Shell access no

No shell tools exposed.

Network egress none

Pure filesystem — no network calls.

OAuth handling n/a

Filesystem doesn't authenticate.

Default permissions broad

By default the server exposes read AND write AND delete tools. You'd need a fork or a wrapper to ship a read-only mode.

Prompt-injection exposure high

File contents the agent reads can contain hostile instructions. Treat all read output as untrusted text — particularly README.md, code comments, and any data file under attacker influence.

Supply chain surface low

Small JS dep tree. Direct deps are MCP SDK, glob matcher, and a few Node-native modules.

Dep CVE surface clean

No active CVEs at last scan.

Rate-limit risk low

No rate limits — purely local I/O.

Signed releases yes

npm package published with provenance attestations.

Security policy yes

Anthropic's monorepo policy applies; private vulnerability reporting via Security tab.

Telemetry none
Data residency local

Files stay on your machine. Only the agent's reads enter the LLM context (over whatever transport you've configured).

Credential storage memory

No persisted credentials.

DESTRUCTIVE TOOLS

4 present · human approval optional

  • write_file
  • edit_file
  • move_file
  • create_directory

NOT A FORMAL SECURITY AUDIT · Adoption posture based on public-source review · See methodology for what's measured and what isn't