Fourteen filesystem tools discovered
The server exposed 14 tools, including read, write, edit, move, directory tree, search, metadata, and allowed-directory inspection.
evidence/trust5/2026-06-11-mcp-pilot.json
MCP serverPublished
MCP Filesystem Reference Server
The Filesystem reference server passed a real MCP smoke test for tool discovery, allowed-directory read/write, and denial of an out-of-scope /etc/hosts read. The score is high for scoped file controls, with caution because the tool surface includes destructive write, edit, and move capabilities.
Independent trust badge
The visible trust mark for this verdict.
Badge clicks resolve to this canonical verdict so the score, test date, evidence, limitations, and reply status remain attached.
Embed
Show this badge on your site
[](https://silentcritique.com/verdicts/mcp-filesystem-reference)Markdown works in GitHub READMEs. The badge always links back to this verdict.
Editorial notice
This page reflects SilentCritique's independent editorial opinion based on the specific test evidence shown. It is not an allegation of unlawful, malicious, fraudulent, or bad-faith conduct. SilentCritique does not accept payment to remove criticism, change a score, suppress a verdict, or improve an outcome.
Claim tested
Can the public Filesystem MCP server expose file tools, operate inside an allowed directory, and deny a read outside that scope?
Evaluator panel
Protocol harnessSafety reviewerOperator skeptic
Evidence reviewed
Allowed read and write succeeded
The harness read a fixture file and wrote a new file inside the allowed temporary directory through MCP tool calls.
evidence/trust5/2026-06-11-mcp-pilot.json
Out-of-scope read was denied
The attempted /etc/hosts read returned an access-denied tool error because it was outside the configured allowed directory.
evidence/trust5/2026-06-11-mcp-pilot.json
Test setup
- Started @modelcontextprotocol/server-filesystem@2026.1.14 over MCP stdio with a canonical temporary directory as the only allowed root.
- Used the official MCP client SDK to initialize the server, list tools, read a fixture file, write a file inside the allowed root, and attempt to read /etc/hosts outside the allowed root.
- Stored the full tool-call evidence in evidence/trust5/2026-06-11-mcp-pilot.json.
Strengths
- Directory scoping behaved correctly in the smoke test.
- The tool list is explicit enough for a client to distinguish read and write surfaces.
- The server returned an understandable denial message for the blocked outside-read attempt.
Failure modes
- Write, edit, and move tools are powerful and can be destructive if the client grants a broad root.
- Safety depends heavily on correct client configuration of allowed directories.
- This test did not exercise symlink escape attempts, concurrent edits, or malicious path names.
What would improve the score
- Publish a client-facing checklist for safe root selection.
- Add canned tests for symlink handling and destructive-operation confirmation.
- Expose clearer badge language separating read-only and write-capable deployments.
Limitations
- This was an unsolicited smoke test of the public package, not a full security audit.
- Only local stdio operation on macOS was tested.
- The test did not inspect source code beyond public documentation and observed MCP behavior.
Visible dissent
- The safety reviewer scored this high because the out-of-scope read was blocked.
- The operator skeptic withheld points because a broad allowed root would make the same server dangerous in practice.
Right of reply
No vendor reply has been requested or published as of 2026-06-11. SilentCritique will publish factual corrections or a right of reply through the corrections process.
Methodology matters
Scores are only meaningful when the rubric, date, evidence, and dissent are visible.
Read methodology