Lightweight Scoped Filesystem MCP

ReviewAudited by ClawScan on May 14, 2026.

Overview

This is mostly a normal scoped filesystem tool, but its file-search function appears to miss the workspace boundary check it promises.

Install only if you are comfortable reviewing the filesystem boundary issue. Use a dedicated AGENT_WORKSPACE with no sensitive files, keep the server on stdio or localhost, and avoid broad or parent-directory glob patterns until search_files is hardened.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

A prompt or agent could potentially use crafted glob patterns to enumerate filenames outside the intended workspace, weakening the promised filesystem boundary.

Why it was flagged

The search tool accepts an agent-controlled glob_pattern and does not call safe_path or otherwise reject '..' path components before traversing the filesystem. This is weaker than the advertised workspace jail used by the other file tools.

Skill content

for p in WORKSPACE.glob(glob_pattern): ... matches.append(str(p.relative_to(WORKSPACE)))

Recommendation

Reject absolute glob patterns and any '..' components, resolve each match before returning it, and require the resolved path to remain under WORKSPACE. Add tests for '../*' and similar traversal patterns.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing and running the skill depends on trusting the uv installer and the Python dependency chain.

Why it was flagged

The setup instructions ask the user to run an external installer and then install Python dependencies. This is user-directed and expected for the skill, but it relies on external package provenance.

Skill content

curl -Lsf https://astral.sh/uv/install.sh | sh ... uv sync

Recommendation

Install uv from a trusted source, review dependencies, and prefer pinned/locked dependency versions for production use.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

If bound to a non-local interface without network controls, another client could potentially use the MCP tools to read or modify files in the workspace.

Why it was flagged

The server can run over HTTP/SSE and expose file tools through MCP. The default host is localhost, but no authentication or origin restriction is shown in the artifacts.

Skill content

mcp.run(transport="streamable-http", host=host, port=port, show_banner=False) ... mcp.run(transport="sse", host=host, port=port, show_banner=False)

Recommendation

Use stdio or keep MCP_HOST set to 127.0.0.1 by default. If remote access is needed, put it behind authentication and network access controls.