mcp-filesystem-server

MCP serverVerified · Rung 3

F40

Filesystem MCP server with unrestricted filesystem access and pwd-based relative paths. 13 tools for read, write, directory, and search operations. No directory allowlist: the server grants access to the entire host filesystem.

Repository HomepageExample data

F40

Security cap applied

Unresolved high-severity security flag caps the composite score at 40. A high-severity flag limits the score regardless of the other dimensions. See the findings below.

Score breakdown

Functional100/100

Reliability88/100

Latency100/100

Security40/100

Confidencelow · 50%

Based on 1 evaluation. Confidence rises as more independent tests agree.

Method rung1.v1computed Jun 9, 2026How we score

The verdict

Functionally complete but a security non-starter for any real deployment. The server ships with unrestricted filesystem access by design: it reads /etc/passwd without error, and its startup log says 'Unrestricted filesystem access enabled'. All 13 tools work correctly. The tools themselves are well-implemented. The problem is architectural: there is no directory allowlist, no configuration option to add one, and no path validation. Any agent using this server can read or modify any file the host OS user can access. Do not deploy this in any environment where the agent might receive untrusted input, where the host has sensitive files, or where the filesystem is shared with other processes. If you need a filesystem MCP server, use the official @modelcontextprotocol/server-filesystem instead.

This is a published failing verdict. We send the maintainer the full evaluation and a window to fix it or correct us before it goes live. Read the disclosure policy.

Security findings

Flags from our evaluations, ordered by severity.

High
UNRESTRICTED_FILESYSTEM_ACCESS
No directory allowlist. The server accesses any path the OS user can access. Confirmed: read_file('/etc/passwd') returns the full file contents. Startup log explicitly states 'Unrestricted filesystem access enabled'. There is no configuration option to restrict access. Any agent using this server can exfiltrate or modify any file on the host.

Test history

1 run

Every evaluation behind the score. This is the receipt.

Passmanual
Jun 7, 2026
Reliability
88/100
Latency
5 ms
Setup
Easy
Flags
1
All 13 advertised tools verified functional: read_file, read_binary_file, read_multiple_files, write_file, edit_file, create_directory, list_directory, directory_tree, move_file, search_files, get_file_info, list_directory_info, get_pwd. Reads, writes, listing, and search all return correct results. The server is functionally complete as advertised. The 'unrestricted' descriptor in the npm description is accurate and intentional.
HighUNRESTRICTED_FILESYSTEM_ACCESS

Notify me if this grade changes

We re-test servers and grades move. Leave your email and we will tell you if this one does.