The filesystem MCP server is the most-installed server in the ecosystem — it lets an AI client read, write, move and search files in directories you explicitly allow. The whole game is scoping it correctly. Here is the safe setup.
How access works
The official @modelcontextprotocol/server-filesystem only touches the directories you pass as arguments. Nothing outside those paths is reachable. Treat each allowed directory as a grant of full read/write, so be deliberate.
Configure the client
Pass one or more allowed directories after the package name:
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": [
"-y",
"@modelcontextprotocol/server-filesystem",
"/Users/you/projects",
"/Users/you/notes"
]
}
}
}
On Windows use full paths like C:\\Users\\you\\projects. Restart the client; see MCP config file location if you cannot find the file.
Verify
Ask: "List the files in my projects directory and read the README." It should return real contents from the allowed path — and refuse anything outside it.
Safe-use rules
- Never allow your home directory or
/. That hands the AI your entire disk, including credentials and SSH keys. - Prefer a dedicated working folder. Point it at one project, not everything.
- Use read-only where possible. If you only need the AI to read, keep write-heavy tools out of the loop.
- Back up before write-enabled sessions. An agent that can write can also overwrite.
This server is a textbook case for the least-privilege principle in our MCP security best practices.
Common problems
Access denied/path not allowed— the path is not in your allowed list, or there is a typo. Paths must be absolute.- No tools appear — Node 18+ required; check
node --version. See Claude Desktop MCP not loading. - Permission errors on write — the OS user running the client lacks write rights to that folder.
Going further
Filesystem is the backbone of nearly every coding stack — pair it with GitHub and a memory server. See our developer loadouts for tested combinations, or the developer tools category.