MCP Verdict
Back to the registry

@cyanheads/filesystem-mcp-server

MCP serverVerified · Rung 3
B89

TypeScript filesystem MCP server with directory restriction via FS_BASE_DIRECTORY environment variable. 10 tools including read, write, update, list, delete, and copy/move operations. Supports STDIO and HTTP transports.

RepositoryHomepageExample data

Score breakdown

Functional100/100
Reliability82/100
Latency100/100
Security73/100
Confidencelow · 50%

Based on 1 evaluation. Confidence rises as more independent tests agree.

Method rung1.v1computed Jun 9, 2026How we score

The verdict

Works correctly when properly configured, but the security model is opt-in rather than enforced. Set FS_BASE_DIRECTORY and the server correctly blocks all paths outside that directory. Omit it and the server runs with unrestricted access. The official server makes the opposite choice: it refuses to start without at least one allowed directory. That difference matters in practice because misconfiguration is the failure mode most likely to happen in real deployments. Core tools all pass testing. The tool naming convention differs from the official server (list_files instead of list_directory, move_path instead of move_file), so integrations targeting this server are not drop-in compatible with the official one. One unexplained dependency: @google/genai ships as a runtime dependency for reasons not documented in the README, adding roughly 25MB and a large supply-chain surface that is not obviously needed for local filesystem access. Configure carefully, and consider whether the dual-transport support (STDIO + HTTP) justifies the added configuration surface over the official server.

Security findings

Flags from our evaluations, ordered by severity.

  • Medium

    OPT_IN_DIRECTORY_RESTRICTION

    Directory restriction requires the FS_BASE_DIRECTORY environment variable. If this variable is not set, the server starts with unrestricted filesystem access. The package documentation states this is 'a potential security risk' but does not prevent startup. The official server takes the opposite approach: it exits with an error if no allowed directory is provided, making the safe path the only path.

  • Info

    UNEXPECTED_RUNTIME_DEPENDENCY

    @google/genai is listed as a runtime dependency in package.json. Its purpose is not documented in the README or source entry point. This adds a large supply-chain surface (Google AI SDK) for a server whose core function is local filesystem access.

Test history

1 run

Every evaluation behind the score. This is the receipt.

  1. Passmanual
    Reliability

    82/100

    Latency

    7 ms

    Setup

    Moderate

    Flags

    2

    All 10 advertised tools verified with FS_BASE_DIRECTORY=/tmp/cyan-test: read_file, set_filesystem_default, write_file, update_file, list_files, delete_file, delete_directory, create_directory, move_path, copy_path. read_file and write_file both work correctly. list_files returns a tree-formatted listing. Path traversal to /etc/passwd correctly blocked: 'Access denied: The path resolves to a location outside the allowed base directory.' Note: tool names differ from the official server (list_files vs list_directory, move_path vs move_file).

    MediumOPT_IN_DIRECTORY_RESTRICTIONInfoUNEXPECTED_RUNTIME_DEPENDENCY

Notify me if this grade changes

We re-test servers and grades move. Leave your email and we will tell you if this one does.