Filesystem MCP Server
PassAudited by ClawScan on May 10, 2026.
Overview
The skill’s filesystem access is disclosed and purpose-aligned, but it is powerful and should be configured to narrow, user-approved directories.
This skill appears coherent and not malicious based on the provided artifacts, but it grants agents meaningful local file power. Install only from a verified upstream source, pin or review the package if possible, configure only the specific folders needed, and use read-only mode unless the agent truly needs to write, move, or delete files.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could change, move, or delete files inside the directories the user allows.
The skill intentionally exposes broad filesystem mutation and deletion tools. This is purpose-aligned, but high-impact if the user configures broad directories.
Read, write, create, delete, move, search files and directories ... Full Access (default)
Configure the smallest necessary directories, prefer read-only mode when possible, and review destructive file changes before approving them.
A changed or compromised upstream npm package could affect the local filesystem server the user runs.
The skill instructs users to install or run an external npm package without a pinned version. This is normal for this integration style, but users rely on npm package provenance.
npm install -g @modelcontextprotocol/server-filesystem ... "command": "npx", "args": ["-y", "@modelcontextprotocol/server-filesystem"
Verify the npm package source, consider pinning a known-good version, and install from the official project repository where possible.
If broad or sensitive folders are allowed, private files or credentials may be read by the agent during a task.
The documented search and read operations can surface secrets or private content from allowed local paths into the agent’s working context.
Agent: "Search for files containing 'API_KEY'"
Do not allow home directories, credential stores, or secret-heavy folders unless necessary; use read-only access for inspection tasks and exclude sensitive paths.