Filesystem MCP Server
The reference server that gives an agent read/write access to your disk, fenced to directories you name. Simple, official, and the single sharpest tool in the drawer.
What it actually does
Part of Anthropic's reference server collection, this exposes file operations — read, write, edit, move, search, directory listings — over MCP. You pass it the directories it may touch as arguments, and everything outside that fence is invisible to it. That fence is the whole security model, so draw it deliberately: pointing it at a project folder is a workflow; pointing it at your home directory is a leap of faith. Because it ships in the official modelcontextprotocol/servers repo, the code is short, readable, and worth the ten minutes it takes to actually read.
Install
Read the source before you run this. Yes, actually.
From the desk
The Sunnyvale take
This is the server everyone actually runs, usually without thinking about it. It's well-built and boring in the best way — but 'high risk' here is not editorial drama. It's a file manager with no undo and an enthusiastic operator.
Why it matters
File access is the difference between an agent that talks about your code and one that edits it. This is the canonical implementation of that capability, and half the ecosystem copies its design.
In practice
Scope it to a single project directory and let an agent apply a mechanical refactor across forty files — the kind of change that's easy to review as a diff and miserable to type by hand.
The skeptic's note
The allowlist fence only works if you respect it. Most horror stories start with someone passing ~ because it was easier.
Use cases
- Agent edits a codebase or documents in place
- Bulk file reorganization and renaming
- Local knowledge-base search without a cloud upload
Risks & caveats
Read/write access to everything under the allowed directories, including dotfiles and credentials if they live there. The directory allowlist is the only guardrail. Never point it at a directory containing secrets, SSH keys, or your browser profile.
Related tools
Full indexSame shelf, different trade-offs.
GitHub MCP Server
GitHub's official MCP server — lets an agent read repos, file issues, and push code with your credentials, which is exactly as useful and as dangerous as it sounds.
Fetch MCP Server
The reference web-fetch server: give an agent a URL, get back the page as readable markdown. Small, honest, and easier to misuse than it looks.