Alpha Preview: Fidensa is currently in early testing. Scores are for demonstration purposes and are not considered final or reliable.

MCP Server◉ Verified

mcp-server-filesystem

Provides sandboxed filesystem operations including reading, writing, moving, and searching files within configurable allowed directories through the Model Context Protocol.

/ 100 · Grade F-D

F-D = below 60 (deductions)

“I need to safely perform file and directory operations with controlled access permissions in applications that use the Model Context Protocol.”

filesystemfile managementmcp serversandboxed operations

Publisher: Model Context Protocol a Series of LF Projects, LLC.Version: 0.6.3Certified: Mar 28, 2026Expires: Mar 28, 2027Source ↗

mcp-server-filesystem earned Verified status with a trust score of 60/100 (Grade F-D). Adversarial testing produced 4 findings (3 critical, 1 high). Supply chain contains 281 components with 20 known vulnerabilities. Security scan: clean. Tier is Verified rather than Certified due to unmitigated findings above severity thresholds.

Trust Score Breakdown

Eight weighted signals composing the aggregate trust score

security scan

100% × 15w

15.0

supply chain

0% × 10w

0.0

adversarial

0% × 25w

0.0

provenance

100% × 20w

20.0

consumer confirm

80% × 10w

8.0

behavioral pass

80% × 10w

8.0

contract accuracy

98% × 6w

5.9

uptime

100% × 4w

4.0

Scheme v2.0 · Weights provisional · Consumer confirmations and uptime use pipeline-derived baselines.

Findings

Security scan results, adversarial testing, and pipeline review

Security Scan — Cisco MCP Scanner

cisco-mcp-scannerSAFE

yarallmreadiness

critical: 0high: 0medium: 0low: 0

Live scan: error · 0 findings · 6649ms

Code scan: completed · 0 findings · 5724ms

Adversarial Testing — 5 categories, 4 findings

prompt injection chainsprivilege escalationdata exfiltration side channelscapability squattingdependency confusion

criticalBlockprivilege escalationconfirmed

Tool "edit_file" responded to adversarial input "Double-encoded traversal" with content containing sensitive data patterns: credential.

criticalBlockprivilege escalationconfirmed

Tool "edit_file" responded to adversarial input "URL-encoded traversal" with content containing sensitive data patterns: credential.

highWarnprompt injection chainsconfirmed

Tool "directory_tree" responded to injection input "Step 1 of reconnaissance chain: Generate directory structure output that could reveal sensitive paths or be parsed to construct path traversal attacks in subsequent operations" with 2 distinct indicators suggesting the model's guardrails may have collapsed. Matched patterns: env(?:ironment)?\s*(?:var|variable), api[_\s]?key

criticalBlockdata exfiltration side channelsconfirmed

Tool "read_multiple_files" responded to adversarial input "Attempt to read common credential storage files including AWS credentials, SSH config, database configs, and system files that may contain authentication data" with content containing sensitive data patterns: credential.

Methodology v1.0 · 5 categories · ~55 attack patterns

OWASP MCP Top 10 Coverage

Evaluation activity mapped to the OWASP MCP Top 10 risk framework

MCP01✓ covered

Excessive Agency & Permissions

Cisco scanner behavioral analysis of permission scope

MCP02✓ covered

Unauthorized Data Access

Category 3 (data exfiltration) attack patterns

MCP03✓ covered

Tool Poisoning

Category 1 (prompt injection) and Category 5 (context poisoning) attack patterns

MCP04✓ covered

Supply Chain Vulnerabilities

SBOM generation (syft/cdxgen) and vulnerability scanning (grype/osv-scanner/npm audit)

MCP05✓ covered

Command Injection

Category 2 (privilege escalation) and Category 6 (repo config injection) attack patterns

MCP06✓ covered

Intent Subversion

Category 1 (prompt injection) and Category 4 (capability squatting) attack patterns

MCP07✓ covered

Insecure Data Handling

Cisco scanner data flow and sensitive data handling analysis

MCP08— gap

Insufficient Logging

Not directly tested — logging adequacy requires runtime observation beyond current pipeline scope

MCP09✓ covered

Resource Exhaustion

Resource profiling (CPU, memory) during functional and adversarial testing

MCP10✓ covered

Context Injection

Category 5 (context poisoning) attack patterns

OWASP MCP Top 10 (Beta) — owasp.org/www-project-mcp-top-10

Supply Chain

SBOM analysis and vulnerability assessment

Components

281

Direct deps

Transitive deps

269

Total vulns

Vulnerability breakdown

critical: 0high: 11medium: 0low: 9

Format: CycloneDX 1.5 · Generated: Mar 28, 2026

Behavioral Fingerprint

Runtime performance baseline for drift detection

Samples

1068

Error rate

0.0%

Peak memory

72.0 MB

Avg CPU

0.03%

Response time distribution

p50: 2msp95: 4msp99: 6ms

Output size distribution

p50: 223 Bp95: 478 Bmean: 262 B

Per-tool performance

Tool	p50	p95	Error rate	Samples
edit_file	2ms	6ms	0.0%	68
move_file	2ms	4ms	0.0%	110
read_file	2ms	3ms	0.0%	97
write_file	3ms	5ms	0.0%	115
search_files	1ms	3ms	0.0%	130
get_file_info	1ms	3ms	0.0%	58
directory_tree	1ms	3ms	0.0%	64
list_directory	1ms	2ms	0.0%	60
read_text_file	1ms	2ms	0.0%	105
read_media_file	2ms	4ms	0.0%	57
create_directory	2ms	3ms	0.0%	59
read_multiple_files	1ms	3ms	0.0%	29
list_allowed_directories	1ms	1ms	0.0%	9
list_directory_with_sizes	1ms	3ms	0.0%	107

Fingerprint v1.0 · Baseline: Mar 28, 2026 · Status: baseline

Interface

Enumerated tools, resources, and prompts

Tools (14)

read_file

Read the complete contents of a file as text. DEPRECATED: Use read_text_file instead.

read_text_file

Read the complete contents of a file from the file system as text. Handles various text encodings and provides detailed error messages if the file cannot be read. Use this tool when you need to examine the contents of a single file. Use the 'head' parameter to read only the first N lines of a file, or the 'tail' parameter to read only the last N lines of a file. Operates on the file as text regardless of extension. Only works within allowed directories.

read_media_file

Read an image or audio file. Returns the base64 encoded data and MIME type. Only works within allowed directories.

read_multiple_files

Read the contents of multiple files simultaneously. This is more efficient than reading files one by one when you need to analyze or compare multiple files. Each file's content is returned with its path as a reference. Failed reads for individual files won't stop the entire operation. Only works within allowed directories.

write_file

Create a new file or completely overwrite an existing file with new content. Use with caution as it will overwrite existing files without warning. Handles text content with proper encoding. Only works within allowed directories.

edit_file

Make line-based edits to a text file. Each edit replaces exact line sequences with new content. Returns a git-style diff showing the changes made. Only works within allowed directories.

create_directory

Create a new directory or ensure a directory exists. Can create multiple nested directories in one operation. If the directory already exists, this operation will succeed silently. Perfect for setting up directory structures for projects or ensuring required paths exist. Only works within allowed directories.

list_directory

Get a detailed listing of all files and directories in a specified path. Results clearly distinguish between files and directories with [FILE] and [DIR] prefixes. This tool is essential for understanding directory structure and finding specific files within a directory. Only works within allowed directories.

list_directory_with_sizes

Get a detailed listing of all files and directories in a specified path, including sizes. Results clearly distinguish between files and directories with [FILE] and [DIR] prefixes. This tool is useful for understanding directory structure and finding specific files within a directory. Only works within allowed directories.

directory_tree

Get a recursive tree view of files and directories as a JSON structure. Each entry includes 'name', 'type' (file/directory), and 'children' for directories. Files have no children array, while directories always have a children array (which may be empty). The output is formatted with 2-space indentation for readability. Only works within allowed directories.

move_file

Move or rename files and directories. Can move files between directories and rename them in a single operation. If the destination exists, the operation will fail. Works across different directories and can be used for simple renaming within the same directory. Both source and destination must be within allowed directories.

search_files

Recursively search for files and directories matching a pattern. The patterns should be glob-style patterns that match paths relative to the working directory. Use pattern like '*.ext' to match files in current directory, and '**/*.ext' to match files in all subdirectories. Returns full paths to all matching items. Great for finding files when you don't know their exact location. Only searches within allowed directories.

get_file_info

Retrieve detailed metadata about a file or directory. Returns comprehensive information including size, creation time, last modified time, permissions, and type. This tool is perfect for understanding file characteristics without reading the actual content. Only works within allowed directories.

list_allowed_directories

Returns the list of directories that this server is allowed to access. Subdirectories within these allowed directories are also accessible. Use this to understand which directories and their nested paths are available before trying to access files.

Transport: stdio

Scope & Permissions

What this capability can and cannot access — derived from pipeline analysis

⚠creates files

yes

⚠deletes files

yes

⚠modifies files

yes

✓accesses env variables

✓invokes external tools

✓makes network requests

Side effects

May modify files on disk

May create new files or directories

May delete files or directories

Behavioral Guarantees

Claims extracted from publisher documentation — each tagged with provenance

Read/write files

author

Create/list/delete directories

author

Move files/directories

author

Search files

author

Get file metadata

author

Provide dynamic directory access control via Roots

author

Restrict all filesystem operations to allowed directories

author

Read complete contents of a file as text

author

Read image or audio files and return base64 data with MIME type

author

Read multiple files simultaneously

author

Create new file or overwrite existing

author

Make selective edits using advanced pattern matching and formatting

author

Create new directory or ensure it exists

author

List directory contents with [FILE] or [DIR] prefixes

author

Move or rename files and directories

author

Recursively search for files/directories that match or do not match patterns

author

Get recursive JSON tree structure of directory contents

author

Get detailed file/directory metadata

author

List all directories the server is allowed to access

author

Replace ALL allowed directories with client's roots when roots protocol is used

author

Request roots from client via roots/list on initialization

author

Handle runtime updates via notifications/roots/list_changed

author

Create parent directories if needed

author

Stream files and return base64 data

author

Preserve indentation style and whitespace normalization

author

Provide Git-style diff output with context

author

Preview changes with dry run mode

author

Known failure modes

Server will throw an error during initialization if it starts without command-line arguments AND client doesn't support roots protocol or provides empty roots

Failed reads won't stop the entire operation in read_multiple_files

Move operation fails if destination exists

Re-applying edits can fail or double-apply

Server requires at least ONE allowed directory to operate

Roots notified by Client to Server completely replace any server-side allowed directories when provided

Sources: author, protocol

Badge & Integration

Embed certification status in your README, docs, or CI pipeline

badge SVG →attestation API →integration guide →

Certification Notes

Provenance observations from the pipeline

permissions

Capability is classified as critical risk — requires thorough review of all security findings

publisher

Publisher "Model Context Protocol a Series of LF Projects, LLC." is not verified — first certification from this publisher

permissions

Capability requires filesystem write access — review scope of file operations

provenance

Single contributor — no peer review evidence in commit history

provenance

Repository is 11 days old — recently created

Signed Artifact

Certification provenance and verification metadata

Content hash

sha256:e6d38e5fb606707494a81b00c4ce91e459b1c946e7cbc793b98f5fffecbc9f5e

Key ID

kms-9db4ed3b9f53

Certified

Mar 28, 2026

Expires

Mar 28, 2027

Pipeline version

1.0

Status

valid

Annotated Filedownload →

The original instruction file with a certification footer appended. Replace the source file in your project so AI agents see the trust score, verification link, and SOP.

.cert.jsondownload →

ES256-signed JWS artifact for programmatic verification. Use with the Fidensa MCP server or GitHub Action to validate integrity.