MCP PreflightLocal MCP security scanner

Guide

Quick preflight read: the official filesystem reference server setup

This is a short preflight read of the public setup pattern around the official filesystem reference server from the modelcontextprotocol/servers repository.

It is not a claim that the server is malicious or compromised. It is a practical look at what a careful developer should review before trusting a local filesystem MCP server in a real workspace.

Source material

Why this one is worth auditing

The repository is the main public reference collection for MCP servers. The filesystem server is also one of the easiest ways to grant an agent real read and write access to local files, which means the trust bar should be high.

The repository itself describes these servers as reference implementations maintained by the MCP steering group. That is useful context: reference code is a good starting point, but it is not the same thing as a hardened production deployment.

What stands out in a preflight review

1. The common setup example uses an ephemeral launcher

The public examples use npx -y @modelcontextprotocol/server-filesystem ....

That is convenient, but it also means the exact code path is easier to drift if you do not pin what you run. For a quick experiment, that may be fine. For a daily workflow, it is a trust downgrade.

Preflight take: pin the package version or use a reviewed local install instead of relying on an ephemeral runner every time.

2. The server is powerful by design

The filesystem server exposes real file operations. In practical terms, that means the main safety boundary is not "is this tool harmless?" but "how narrow is the allowed path scope?"

If the allowed directories are broad, the blast radius is broad. If the allowed directories are narrow, the review is much easier.

Preflight take: keep the allowed roots as small as possible and do not point the server at an entire home directory just because it works.

3. Setup quality matters as much as code quality

The public issue history shows repeated Windows-specific path handling problems: paths with spaces, path normalization, drive-letter casing, and access checks that behave differently than users expect.

That does not mean the server is unsafe by default. It does mean that filesystem MCP trust is partly operational: a server can be conceptually scoped, but still behave badly if path handling is off.

Preflight take: test your exact operating-system path layout before trusting the server in a real repo, especially on Windows.

4. Reference does not mean read-only

Many developers hear "filesystem server" and think "context access." In practice, the tool surface is wider than that. Once a server can read, write, move, and edit files, you should review it more like a scoped automation agent than a passive document viewer.

Preflight take: if you only need reading, prefer a narrower workflow or tighter allowed directories instead of handing over broad write capability by default.

What MCP Preflight would likely flag in a typical setup

  • the launcher is ephemeral and should be pinned
  • the allowed paths may be too broad for the task
  • the path scope should be reviewed carefully on Windows
  • write-capable filesystem access deserves a higher trust bar than read-only context sources

Bottom line

The official filesystem reference server is useful, but it should still be treated like a high-trust local capability.

The safest default is:

  • pin what you run
  • keep the allowed roots narrow
  • test the exact path behavior on your operating system
  • avoid granting write scope you do not actually need

That is the difference between "it starts" and "it is safe enough to trust."