This is Anthropic's official filesystem MCP server, maintained in their canonical servers repository. It provides read, write, and navigation capabilities for local directories that you explicitly allow during setup. The maintainer score is excellent given Anthropic's backing and active development. Permissions are moderately scoped: whilst you must specify allowed directories upfront, the server grants full read/write/delete within those boundaries, which is powerful but appropriate for its use case. Supply chain is solid via npm with standard installation. Transparency is strong with open source code, clear documentation, and active issue tracking. No known security incidents. The main consideration is that once you point it at a directory, Claude has broad filesystem powers within that scope, so choose your allowed paths carefully.
Lethal Trifecta (prompt-injection exposure)
ONE OF THREE
Private dataYes
Reads secrets, credentials, private files
Untrusted inputNo
Ingests web pages, PRs, issues, emails
External commsNo
Can send data outbound
Reads local files but does not ingest web content or transmit outbound. No trifecta by itself; becomes dangerous when paired with an MCP that has the other two axes.
Green flags
Official Anthropic implementation, actively maintained
Must explicitly specify allowed directories at install time
Open source with clear code review history
Standard npm distribution with versioning
Well-documented with examples and usage patterns
Red flags
Full write and delete access within allowed directories
No per-file approval, only per-directory at setup
Can modify or delete any file in allowed paths
Permissions requested
Read filesWrite filesDelete files
Assessed by Delv Editorial using public metadata. Grades are advisory and update as the ecosystem changes. They do not replace your own review of permissions and code before granting an agent access to sensitive systems.
This is the reference implementation for filesystem access in MCP, and it does exactly what the tin says: lets Claude read, write, and navigate directories you explicitly allow. You point it at a folder during setup, and Claude can then list files, read contents, write changes, move things around, all without you copy-pasting or switching windows.
I use this daily for code reviews and refactoring. The workflow is simple: Claude asks to read a file, I approve once, it scans the structure, suggests changes, writes them back. The approval model is sensible: you grant access per operation, not per session, so you stay in control without constant interruptions. It shines when you're working through a multi-file task like renaming a module or updating import paths across a project.
The main quirk is the path restriction. You configure allowed directories at install time, and Claude can't escape those bounds. This is a feature, not a bug, but it means you need to think about your project structure upfront. If you work across multiple unrelated folders, you'll either need multiple server instances or a broader parent directory.
Performance is fine for typical projects. I've pointed it at codebases with thousands of files and it handles directory listings without drama. Write operations are immediate. The server doesn't cache or index, it just proxies filesystem calls, so there's no startup cost or stale data.
Who shouldn't bother: if you're only using Claude for conversation and never need it to touch files, this is dead weight. Same if you're working in a heavily restricted environment where filesystem access is locked down. But for anyone doing serious development work with Claude, especially in Claude Desktop or Cursor, this is foundational. It's the difference between Claude being a chatbot and being a proper coding assistant.
One thing to note: the official Anthropic badge means this is maintained and updated alongside MCP itself. When the protocol changes, this server gets fixed first. That stability matters if you're building workflows that depend on it.
Verdict
If you use Claude for any kind of file-based work, install this first. It's the canonical filesystem MCP, maintained by Anthropic, and it just works. Skip it only if Claude never needs to read or write files for you.
Good at
Official Anthropic implementation, so it's maintained in lockstep with MCP protocol changes.
Path restrictions are enforced at the server level, so you control exactly what Claude can touch.
Works across all major MCP hosts without modification.
No dependencies or environment variables, just point it at a directory and go.
Handles large directory trees without performance issues.
Watch out
You must configure allowed paths at install time, can't dynamically grant access to new directories mid-session.
Each server instance is locked to one directory tree, so multi-project workflows need multiple configs.
Approval prompts can interrupt flow the first time Claude tries a new operation type, though they persist after that.
No built-in file watching or change notifications, so Claude won't know if files change outside its operations.
Use cases
Letting Claude edit code in a project folder
Reading documents during research
Batch file operations
Moving files between directories
Getting started
1. Run `npx -y @modelcontextprotocol/server-filesystem /path/to/your/project` to test it works, replacing the path with the directory you want Claude to access.
2. Add the config snippet to your MCP host settings (in Claude Desktop, that's `~/Library/Application Support/Claude/claude_desktop_config.json` on macOS).
3. Restart your MCP host, then ask Claude to list files in the directory you configured.
4. Watch out: Claude will ask for approval the first time it tries each operation type (read, write, list). Approve once and it remembers for that session.
5. If you need access to multiple unrelated directories, add separate server entries in your config with different names and paths.
