Fidensa
MCP Server Certified

mcp-server-filesystem

Provides sandboxed filesystem operations including reading, writing, moving, and searching files within configurable allowed directories through the Model Context Protocol.

90

/ 100 · Grade A

Maturity: Initial

I need to safely perform file and directory operations with controlled access permissions in applications that use the Model Context Protocol.

filesystemfile managementmcp serversandboxed operations
Publisher: Model Context Protocol a Series of LF Projects, LLC.Version: 0.6.3Certified: Mar 16, 2026Expires: Mar 16, 2027Source ↗

Trust Score Breakdown

Eight weighted signals composing the aggregate trust score

security scan
100% × 15w
15.0
supply chain
100% × 10w
10.0
behavioral pass
80% × 20w
16.0
contract accuracy
98% × 15w
14.7
adversarial
75% × 5w
3.8
consumer confirm
80% × 20w
16.0
provenance
100% × 10w
10.0
uptime
100% × 5w
5.0

Scheme v1.1 · Weights provisional · Consumer confirmations and uptime use pipeline-derived baselines.

Pipeline Completion

Stages executed during verification

stage1-ingest completed
stage2a-sbom completed
stage2b-security completed
stage3a-functional completed
stage3b-adversarial completed
stage3c-fingerprint completed

Supply Chain

SBOM analysis and vulnerability assessment

Components

270

Direct deps

1

Transitive deps

269

Total vulns

17

Vulnerability breakdown

critical: 0high: 10medium: 0low: 7

Format: CycloneDX 1.5 · Generated: Mar 16, 2026

Security Scan

Cisco MCP Scanner — static and behavioral analysis

cisco-mcp-scannerSAFE
yarallmreadiness
critical: 0high: 0medium: 0low: 0informational: 0
Live scan: error · 0 findings · 12149ms
Code scan: completed · 0 findings · 9426ms

Adversarial Testing

Structured attack patterns from the Fidensa adversarial taxonomy

Categories tested

5

Findings

1

Methodology

v1.0

Categories

prompt injection chainsprivilege escalationdata exfiltration side channelscapability squattingdependency confusion

Findings

highprompt injection chainsconfirmed

The MCP server crashed while processing adversarial input. Crash occurred during test "Step 1 of path traversal chain: Create a config file with path traversal payloads embedded in seemingly legitimate configuration values" on tool write_file. A robust server should handle all inputs gracefully without crashing.

Behavioral Fingerprint

Runtime performance baseline for drift detection

Samples

255

Error rate

0.0%

Peak memory

70.2 MB

Avg CPU

0.13%

Response time distribution

p50: 4msp95: 10msp99: 18ms

Output size distribution

p50: 204 Bp95: 1.1 KBmean: 294 B

Per-tool performance

Toolp50p95Error rateSamples
edit_file4ms14ms0.0%23
move_file4ms9ms0.0%21
read_file4ms11ms0.0%26
write_file5ms9ms0.0%21
search_files4ms11ms0.0%25
get_file_info3ms7ms0.0%14
directory_tree3ms5ms0.0%18
list_directory4ms6ms0.0%14
read_text_file4ms5ms0.0%26
read_media_file3ms6ms0.0%14
create_directory4ms6ms0.0%14
read_multiple_files3ms8ms0.0%12
list_allowed_directories2ms3ms0.0%6
list_directory_with_sizes3ms5ms0.0%21

Fingerprint v1.0 · Baseline: Mar 16, 2026 · Status: baseline

Interface

Enumerated tools, resources, and prompts

Tools (14)

read_file

Read the complete contents of a file as text. DEPRECATED: Use read_text_file instead.

read_text_file

Read the complete contents of a file from the file system as text. Handles various text encodings and provides detailed error messages if the file cannot be read. Use this tool when you need to examine the contents of a single file. Use the 'head' parameter to read only the first N lines of a file, or the 'tail' parameter to read only the last N lines of a file. Operates on the file as text regardless of extension. Only works within allowed directories.

read_media_file

Read an image or audio file. Returns the base64 encoded data and MIME type. Only works within allowed directories.

read_multiple_files

Read the contents of multiple files simultaneously. This is more efficient than reading files one by one when you need to analyze or compare multiple files. Each file's content is returned with its path as a reference. Failed reads for individual files won't stop the entire operation. Only works within allowed directories.

write_file

Create a new file or completely overwrite an existing file with new content. Use with caution as it will overwrite existing files without warning. Handles text content with proper encoding. Only works within allowed directories.

edit_file

Make line-based edits to a text file. Each edit replaces exact line sequences with new content. Returns a git-style diff showing the changes made. Only works within allowed directories.

create_directory

Create a new directory or ensure a directory exists. Can create multiple nested directories in one operation. If the directory already exists, this operation will succeed silently. Perfect for setting up directory structures for projects or ensuring required paths exist. Only works within allowed directories.

list_directory

Get a detailed listing of all files and directories in a specified path. Results clearly distinguish between files and directories with [FILE] and [DIR] prefixes. This tool is essential for understanding directory structure and finding specific files within a directory. Only works within allowed directories.

list_directory_with_sizes

Get a detailed listing of all files and directories in a specified path, including sizes. Results clearly distinguish between files and directories with [FILE] and [DIR] prefixes. This tool is useful for understanding directory structure and finding specific files within a directory. Only works within allowed directories.

directory_tree

Get a recursive tree view of files and directories as a JSON structure. Each entry includes 'name', 'type' (file/directory), and 'children' for directories. Files have no children array, while directories always have a children array (which may be empty). The output is formatted with 2-space indentation for readability. Only works within allowed directories.

move_file

Move or rename files and directories. Can move files between directories and rename them in a single operation. If the destination exists, the operation will fail. Works across different directories and can be used for simple renaming within the same directory. Both source and destination must be within allowed directories.

search_files

Recursively search for files and directories matching a pattern. The patterns should be glob-style patterns that match paths relative to the working directory. Use pattern like '*.ext' to match files in current directory, and '**/*.ext' to match files in all subdirectories. Returns full paths to all matching items. Great for finding files when you don't know their exact location. Only searches within allowed directories.

get_file_info

Retrieve detailed metadata about a file or directory. Returns comprehensive information including size, creation time, last modified time, permissions, and type. This tool is perfect for understanding file characteristics without reading the actual content. Only works within allowed directories.

list_allowed_directories

Returns the list of directories that this server is allowed to access. Subdirectories within these allowed directories are also accessible. Use this to understand which directories and their nested paths are available before trying to access files.

Transport: stdio

Scope & Permissions

What this capability can and cannot access — derived from pipeline analysis

creates files

yes

deletes files

yes

modifies files

yes

accesses env variables

no

invokes external tools

no

makes network requests

no

Side effects

May modify files on disk

May create new files or directories

May delete files or directories

Behavioral Guarantees

Claims extracted from publisher documentation — each tagged with provenance

Read/write files

author

Create/list/delete directories

author

Move files/directories

author

Search files

author

Get file metadata

author

Provide dynamic directory access control via Roots

author

Restrict all filesystem operations to allowed directories

author

Read complete contents of a file as text

author

Read image or audio files and return base64 data with MIME type

author

Read multiple files simultaneously

author

Create new file or overwrite existing

author

Make selective edits using advanced pattern matching and formatting

author

Create new directory or ensure it exists

author

List directory contents with [FILE] or [DIR] prefixes

author

Move or rename files and directories

author

Recursively search for files/directories that match or do not match patterns

author

Get recursive JSON tree structure of directory contents

author

Get detailed file/directory metadata

author

List all directories the server is allowed to access

author

Replace ALL allowed directories with client's roots when roots protocol is used

author

Request roots from client via roots/list on initialization

author

Handle runtime updates via notifications/roots/list_changed

author

Create parent directories if needed

author

Stream files and return base64 data

author

Preserve indentation style and whitespace normalization

author

Provide Git-style diff output with context

author

Preview changes with dry run mode

author

Known failure modes

Server will throw an error during initialization if it starts without command-line arguments AND client doesn't support roots protocol or provides empty roots

Failed reads won't stop the entire operation in read_multiple_files

Move operation fails if destination exists

Re-applying edits can fail or double-apply

Server requires at least ONE allowed directory to operate

Roots notified by Client to Server completely replace any server-side allowed directories when provided

Sources: author, protocol

Review Flags

6 flags · 0 blocking

highsecuritystage3b-adversarial

Adversarial finding (prompt_injection_chains): The MCP server crashed while processing adversarial input. Crash occurred during test "Step 1 of path traversal chain: Create a config file with path traversal payloads embedded in seemingly legitimate configuration values" on tool write_file. A robust server should handle all inputs gracefully without crashing.

highpermissionscapability-config

Capability is classified as critical risk — requires thorough review of all security findings

mediumcontentstage4-assembler

Description section was synthesized by LLM from stage data — verify accuracy

mediumcontentstage4-assembler

Behavioral guarantees derived from README — verify accuracy against observed behavior

mediumpublisherstage1-ingest

Publisher "Model Context Protocol a Series of LF Projects, LLC." is not verified — first certification from this publisher

mediumpermissionsstage4-assembler

Capability requires filesystem write access — review scope of file operations

Signed Artifact

Certification provenance and verification metadata

Content hashsha256:ea36e36a5a7e721e197591ed4de6003d35901de27fb3dc94d1ad7fa0cc7eb004
Key IDplatform-key-2026-03
CertifiedMar 16, 2026
ExpiresMar 16, 2027
Pipeline version1.0
Statusvalid
attestation API →badge →

Pipeline Artifacts

Raw data files from this certification run — downloadable for independent verification

contract.json

Full unsigned contract

stage1-ingest.json

Ingest stage output

stage2a-sbom.json

SBOM generation results

stage2a-vulns.json

Vulnerability scan results

stage2b-security.json

Security scan results

stage3a-functional.json

Functional test results

stage3b-adversarial.json

Adversarial test results

stage3c-fingerprint.json

Behavioral fingerprint

stage4-certify.json

Certification decision + trust score

stage3a-measurements.json

Raw functional test measurements

stage3b-measurements.json

Raw adversarial test measurements

run-log.json

Pipeline execution log

Files served from Supabase Storage. Not all files may be present for every certification.