@redf0x1/mcp-server-filesystem

MCP serverVerified · Rung 3

F40

Enhanced filesystem MCP server forked from the official Anthropic package with fixed glob pattern search, head+tail file reading, and shell command execution via run_command. Adds delete_file and runs on a directory allowlist.

Repository HomepageExample data

F40

Security cap applied

Unresolved high-severity security flag caps the composite score at 40. A high-severity flag limits the score regardless of the other dimensions. See the findings below.

Score breakdown

Functional100/100

Reliability83/100

Latency100/100

Security40/100

Confidencelow · 50%

Based on 1 evaluation. Confidence rises as more independent tests agree.

Method rung1.v1computed Jun 9, 2026How we score

The verdict

The filesystem tools are correctly secured: the directory allowlist works, path traversal is blocked, and symlink escape is handled. The problem is run_command, which accepts arbitrary shell commands with no filtering beyond validating the working directory. Confirmed: from a cwd inside the allowed directory, run_command successfully reads /etc/passwd and writes files to paths outside the allowed directory. The allowlist that secures read_file and write_file does not secure run_command, because a shell process running inside an allowed directory is not restricted to that directory. Adding shell execution to a filesystem server fundamentally breaks the sandbox: the shell can do everything the filesystem tools do and more, without any of the containment. The glob search fix and head plus tail support are genuinely useful improvements over the official server, but neither is worth the tradeoff of a shell escape route in the same process. Do not use this server in any context where the agent might receive untrusted input or where filesystem isolation matters.

This is a published failing verdict. We send the maintainer the full evaluation and a window to fix it or correct us before it goes live. Read the disclosure policy.

Security findings

Flags from our evaluations, ordered by severity.

High
COMMAND_EXECUTION_BYPASSES_ALLOWLIST
run_command accepts any shell command string. Only the workingDirectory parameter is validated against allowed directories — the command itself is not filtered or sandboxed. Confirmed: run_command('cat /etc/passwd', workingDirectory='/allowed/dir') returns the full file. run_command('echo pwned > /tmp/pwned.txt', workingDirectory='/allowed/dir') creates a file outside the allowed directory. The directory allowlist protects the filesystem tool set but does not constrain what the shell process can access or write.

Test history

1 run

Every evaluation behind the score. This is the receipt.

Passmanual
Jun 7, 2026
Reliability
83/100
Latency
1 ms
Setup
Easy
Flags
1
All 12 tools verified via sandbox (Node v22). Tools: read_file, read_multiple_files, write_file, delete_file, edit_file, create_directory, list_directory, search_files, get_file_info, move_file, run_command, list_allowed_directories. All filesystem operations work correctly. run_command executes shell commands and returns stdout/stderr. head+tail combined reading works. Glob search works with * and ** patterns. 11/11 test cases passed.
HighCOMMAND_EXECUTION_BYPASSES_ALLOWLIST