filesystem
Sandboxed file access. Every path passed as an argument becomes part of the sandbox; everything outside is rejected, including symlinks that escape via following.
Usage
native-mcp filesystem [--read-only] PATH [PATH...]Each PATH must be an existing directory.
Flags
| Flag | Default | Description |
|---|---|---|
--read-only | off | Hide the mutation tools (write_file, create_directory, move_file, delete_file, delete_directory) from tools/list. |
Tools
list_allowed_paths
Returns the sandbox roots, one per line. Useful for the LLM to understand what it can touch.
read_file
| Field | Type | Required | Description |
|---|---|---|---|
path | string | yes | Path inside the sandbox. |
Returns the file contents as UTF-8 text.
list_directory
| Field | Type | Required | Description |
|---|---|---|---|
path | string | yes | Directory to list. |
Each entry is prefixed with [F] for files and [D] for directories.
get_file_info
Returns size, mode, mtime, and kind (file/directory/symlink).
write_file (disabled in --read-only)
| Field | Type | Required | Description |
|---|---|---|---|
path | string | yes | File to write. Parent directories are created as needed. |
content | string | yes | UTF-8 content (overwrites existing). |
create_directory (disabled in --read-only)
Creates a directory and any missing parents (mkdir -p).
move_file (disabled in --read-only)
| Field | Type | Required | Description |
|---|---|---|---|
source | string | yes | Existing path. |
destination | string | yes | Target path. |
Both paths must be inside the sandbox.
delete_file (disabled in --read-only)
Removes a regular file. Refuses directories.
delete_directory (disabled in --read-only)
| Field | Type | Required | Description |
|---|---|---|---|
path | string | yes | Directory to delete. |
recursive | bool | no | If true, delete contents too. |
Refuses to delete a sandbox root path.
Why delete_*?
The official @modelcontextprotocol/server-filesystem does not expose deletion. We add delete_file and delete_directory because:
- Coding agents routinely need to remove generated artifacts.
- The sandbox already restricts the blast radius.
delete_directorydefaults to non-recursive and refuses to delete sandbox roots.
If you want to disable mutation entirely, run with --read-only.
Register in Claude Code
claude mcp add native-fs native-mcp filesystem /tmp /home/you/projects
claude mcp add native-fs-ro native-mcp filesystem --read-only /etc