@modelcontextprotocol/server-filesystem
MCP serverVerified · Rung 3The official Anthropic-maintained filesystem MCP server. Exposes 14 tools for read, write, edit, search, and directory operations. Enforces a configurable allowlist of directories via command-line arguments or the MCP Roots protocol.
Score breakdown
Based on 1 evaluation. Confidence rises as more independent tests agree.
The verdict
The reference implementation. All 14 advertised tools pass functional testing. Directory allowlist is enforced at startup and at every operation: both read and write outside allowed directories are blocked with a clear error. Setup is a single npx command. The only design note worth flagging: the server grants full read-write access to every allowed directory with no per-directory read-only mode at the server level. Use Docker volume mounts with the ro flag if you need a read-only allowed directory. For any production agent deployment, this is the server to start with.
Security findings
Flags from our evaluations, ordered by severity.
- Info
NO_PER_DIR_READONLY
All allowed directories are granted full read-write access. There is no server-level per-directory read-only mode. Mitigation: use Docker volume mount with 'ro' flag when a read-only allowed directory is needed.
Test history
1 runEvery evaluation behind the score. This is the receipt.
- PassmanualReliability
95/100
Latency4 ms
SetupTrivial
Flags1
All 14 tools verified via stdio MCP protocol in sandbox (Node v22, npm package v2026.1.14). Tested: read_text_file, read_multiple_files, write_file, edit_file, create_directory, list_directory, list_directory_with_sizes, directory_tree, move_file, search_files, get_file_info, list_allowed_directories. All return correct results. Tool annotations (readOnlyHint, destructiveHint, idempotentHint) present and accurate.
InfoNO_PER_DIR_READONLY