@ai-capabilities-suite/mcp-filesystem
MCP serverVerified · Rung 3A specialized filesystem extension server from Digital-Defiance's AI Capabilities Suite. Provides 12 tools not found in standard filesystem servers: batch copy/move/delete operations, directory watching, content search and indexing, directory sync, checksums, symlink creation, and disk usage analysis. Intended as a complement to, not a replacement for, a standard filesystem server — it has no read_file or write_file tools.
Security cap applied
Score breakdown
Based on 1 evaluation. Confidence rises as more independent tests agree.
The verdict
Specialized extension server with 12 tools for batch operations, directory sync, watching, and disk analysis. Most tools respect the workspace boundary correctly. fs_analyze_disk_usage and fs_batch_operations (copy/move/delete) block out-of-workspace paths with a WORKSPACE_BOUNDARY_VIOLATION error. The exception is fs_copy_directory and fs_sync_directory, which do not validate the destination against the workspace root: confirmed in sandbox that files are successfully copied and synced to paths entirely outside the configured workspace. This allows an agent to exfiltrate workspace files to arbitrary writable locations or copy external files into the workspace from non-system paths. The workspace boundary the server advertises as its security model does not hold for these two tools.
This is a published failing verdict. We send the maintainer the full evaluation and a window to fix it or correct us before it goes live. Read the disclosure policy.
Security findings
Flags from our evaluations, ordered by severity.
- High
COPY_SYNC_DESTINATION_ESCAPE
fs_copy_directory and fs_sync_directory do not validate the destination path against the workspace root. Confirmed in sandbox: fs_copy_directory(source=workspace/sub, destination=/tmp/outside/escaped) succeeds and creates files at the outside path. fs_sync_directory(source=workspace/sub, destination=/tmp/outside/synced) also succeeds. Additionally, fs_copy_directory does not restrict the source path for non-system directories: copying from an arbitrary external path into the workspace also succeeds (WORKSPACE_BOUNDARY_VIOLATION is only raised for system paths like /etc). An agent using these tools can exfiltrate workspace contents to any writable location the process can access, or import files from external directories into the workspace.
- Info
SEARCH_ACCEPTS_OUTSIDE_PATH
fs_search_files accepts a searchPath outside the workspace without erroring — it returns an empty result set rather than a WORKSPACE_BOUNDARY_VIOLATION. In the tested case (searchPath=/etc, pattern=passwd), the result was {status: success, results: [], count: 0}. Whether the server actually scans the outside path or silently bounds it is unclear from the response alone. No file content was disclosed in testing.
Test history
1 runEvery evaluation behind the score. This is the receipt.
- PassmanualReliability
88/100
Latency3 ms
SetupEasy
Flags2
12 tools verified via stdio NDJSON in a Node sandbox (npm v0.1.9). Tools: fs_batch_operations, fs_watch_directory, fs_get_watch_events, fs_stop_watch, fs_search_files, fs_build_index, fs_create_symlink, fs_compute_checksum, fs_verify_checksum, fs_analyze_disk_usage, fs_copy_directory, fs_sync_directory. fs_batch_operations only supports copy/move/delete operation types (not read/write). fs_copy_directory and fs_sync_directory work correctly for in-workspace operations. fs_analyze_disk_usage returns size breakdown for workspace paths. This server has no read_file or write_file — it is an extension server.
HighCOPY_SYNC_DESTINATION_ESCAPEInfoSEARCH_ACCEPTS_OUTSIDE_PATH
Notify me if this grade changes
We re-test servers and grades move. Leave your email and we will tell you if this one does.