Filesystem MCP Server
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: filesystem-mcp Version: 1.0.0 The skill bundle describes a 'Filesystem MCP Server' designed for secure, sandboxed file operations for AI agents. The `SKILL.md` explicitly details robust security features like sandboxed access, path validation, and permission controls, and provides best practices for secure configuration. There are no instructions for prompt injection, data exfiltration, malicious execution, or persistence within the provided files. The installation and configuration steps are for setting up the server itself, not for the agent to perform unauthorized actions. While filesystem access is a powerful capability, the documentation emphasizes a security-first design, classifying it as benign based on the provided content.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could change, move, or delete files inside the directories the user allows.
The skill intentionally exposes broad filesystem mutation and deletion tools. This is purpose-aligned, but high-impact if the user configures broad directories.
Read, write, create, delete, move, search files and directories ... Full Access (default)
Configure the smallest necessary directories, prefer read-only mode when possible, and review destructive file changes before approving them.
A changed or compromised upstream npm package could affect the local filesystem server the user runs.
The skill instructs users to install or run an external npm package without a pinned version. This is normal for this integration style, but users rely on npm package provenance.
npm install -g @modelcontextprotocol/server-filesystem ... "command": "npx", "args": ["-y", "@modelcontextprotocol/server-filesystem"
Verify the npm package source, consider pinning a known-good version, and install from the official project repository where possible.
If broad or sensitive folders are allowed, private files or credentials may be read by the agent during a task.
The documented search and read operations can surface secrets or private content from allowed local paths into the agent’s working context.
Agent: "Search for files containing 'API_KEY'"
Do not allow home directories, credential stores, or secret-heavy folders unless necessary; use read-only access for inspection tasks and exclude sensitive paths.