MCP Verdict
Back to the registry

@infoinlet/mcp-filesystem

MCP serverVerified · Rung 3
A96

Minimal-surface filesystem MCP server hardened for agent use. Read-only by default (FS_WRITE_ALLOWED=true to enable writes). Requires FS_ROOT — refuses to start without it. Two-layer path protection: lexical containment check plus realpathSync to defeat symlink escape.

RepositoryHomepageExample data

Score breakdown

Functional100/100
Reliability90/100
Latency100/100
Security96/100
Confidencelow · 50%

Based on 1 evaluation. Confidence rises as more independent tests agree.

Method rung1.v1computed Jun 9, 2026How we score

The verdict

The most security-correct filesystem MCP server tested in this category. Every claim in the description checks out: the server refuses to start without FS_ROOT, all paths are jailed to that root, path traversal is blocked with a clear error, symlink escape is blocked via realpathSync, and writes are off by default. This is the right security model (required root, read-only by default, two-layer protection), and it is implemented correctly. The tradeoff is a deliberately small API: 4 read tools plus an opt-in write tool, versus the 14 tools in the official server. No copy, move, tree, or directory creation. If you need those operations, use the official server. If you need the strongest security posture and a narrow surface, this is the better choice. The package has 2 versions and no source repository linked in npm metadata, which is the same provenance gap as other community packages in this category; the code quality and security implementation suggest intentional, competent authorship rather than a copy.

Security findings

Flags from our evaluations, ordered by severity.

  • Info

    PACKAGE_METADATA

    2 published versions (0.1.0, 0.1.1). No repository URL in package.json. Author field is absent. The code quality and security design suggest intentional authorship, but the package cannot be verified against a source repository.

  • Info

    MINIMAL_TOOLSET

    5 tools total (4 read + 1 write). No move, copy, directory creation, tree view, or multi-file read. This is a design choice — the small surface reduces attack area — but agents expecting the official server API will find missing tools.

Test history

1 run

Every evaluation behind the score. This is the receipt.

  1. Passmanual
    Reliability

    90/100

    Latency

    2 ms

    Setup

    Easy

    Flags

    2

    All 5 tools verified via sandbox (Node v22). Without FS_ROOT: returns error immediately. read_file: returns correct content. list_dir: lists correctly with type annotations (file/dir). stat: returns size, type, mtime. search_files: name_contains and content_contains both work, depth-limited. write_file: available and functional when FS_WRITE_ALLOWED=true; blocked with 'writes disabled (set FS_WRITE_ALLOWED=true)' when not set. 11/11 tests passed including all security checks.

    InfoPACKAGE_METADATAInfoMINIMAL_TOOLSET

Notify me if this grade changes

We re-test servers and grades move. Leave your email and we will tell you if this one does.