What is a filesystem MCP server?

A filesystem MCP server is a Model Context Protocol server that exposes local file system operations — reading, writing, searching, and managing files — as tools and resources that AI applications like Claude Desktop or Cursor can use. The official Anthropic filesystem server (at @modelcontextprotocol/server-filesystem) provides sandboxed access to specified directories with configurable permissions.

Is it safe to give AI access to my local files through MCP?

Yes, when configured properly. Filesystem MCP servers use directory sandboxing, which restricts AI access to only the directories you explicitly allow. The official server prevents path traversal attacks, enforces read-only or read-write permissions per directory, and requires user confirmation before executing write operations in most MCP clients. You should never expose your entire root filesystem — always limit access to specific project directories.

How do I install the official filesystem MCP server?

Install via npx with: npx -y @modelcontextprotocol/server-filesystem /path/to/allowed/directory. For Claude Desktop, add it to your claude_desktop_config.json under mcpServers with the command and allowed directories as arguments. For Cursor, configure it in your .cursor/mcp.json file.

Can filesystem MCP servers handle binary files like images and PDFs?

The base filesystem server handles text files natively. For binary files like PDFs and images, specialized document MCP servers exist — such as MCP server for PDF parsing, image analysis servers that integrate with vision models, and document conversion servers. Some servers like markitdown-mcp can convert Office documents, PDFs, and images to markdown for AI consumption.

What is the difference between the filesystem MCP server and the Git MCP server?

The filesystem MCP server provides general file operations (read, write, list, search) on any files within allowed directories. The Git MCP server specifically exposes Git operations (commits, branches, diffs, blame) for version-controlled repositories. They are complementary: use the filesystem server for general file manipulation and the Git server for version control workflows.

How do I restrict which files the AI can access?

You restrict access at three levels: (1) Directory allowlisting — only directories you pass as arguments are accessible; (2) File pattern filtering — some servers support glob patterns to include/exclude file types; (3) Permission modes — configure read-only vs read-write access per directory. The official server also blocks symlink traversal outside allowed directories.

Can I use multiple filesystem MCP servers simultaneously?

Yes. MCP clients can connect to multiple servers concurrently. You might run one filesystem server for your project directory (read-write) and another for a reference documentation directory (read-only). Each server instance operates independently with its own permission configuration.

What are the performance limits of filesystem MCP servers?

Performance depends on the transport used. Local stdio-based servers have minimal overhead for typical operations. For large directories (10,000+ files), listing operations may be slow — use search tools with specific patterns instead of recursive listings. File size limits are generally determined by the MCP client's context window rather than the server itself. Most servers handle files up to several megabytes without issues.

Filesystem & Document MCP Servers: Secure Local Access

File access is the most fundamental capability an AI assistant can have. Without the ability to read your project files, analyze your documents, or write updated content, AI assistants are limited to operating on text you manually copy and paste into conversations. Filesystem and document MCP servers remove this limitation entirely, creating a direct bridge between the AI and your data.

Since their introduction alongside the MCP protocol in late 2024, filesystem servers have become the single most-installed category of MCP servers. Nearly every MCP user starts with a filesystem server, and many never remove it from their configuration. They are the backbone of AI-assisted development, document analysis, and content management workflows.

Filesystem and document MCP servers give AI applications controlled, secure access to your local files and documents. They are among the most fundamental MCP servers available, enabling AI assistants to read project files, analyze documents, write code, and manage content -- all within the safety boundaries you define.

This guide covers everything you need to know about filesystem and document MCP servers: how they work, how to configure them securely, which options are available, and how to choose the right server for your workflow.

What Are Filesystem MCP Servers?

A filesystem MCP server is a Model Context Protocol server that exposes local file system operations as tools and resources to AI applications. When you connect a filesystem server to Claude Desktop, Cursor, or another MCP-compatible client, the AI gains the ability to:

Read files from specified directories
Write and create files with appropriate permissions
Search for files by name or content
List directory contents and navigate folder structures
Move, copy, and rename files
Get file metadata such as size, modification dates, and permissions

The key design principle is sandboxed access: the server only exposes directories you explicitly allow. The AI cannot access files outside those boundaries, ensuring your system remains secure.

The Official Filesystem MCP Server

Anthropic maintains the official filesystem MCP server as part of the Model Context Protocol reference implementations. It is the recommended starting point for most users.

Installation and Setup

The official server runs via Node.js and can be started with npx:

npx -y @modelcontextprotocol/server-filesystem /path/to/allowed/dir1 /path/to/allowed/dir2

For Claude Desktop, add this to your claude_desktop_config.json:

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-filesystem",
        "/Users/yourname/projects",
        "/Users/yourname/documents"
      ]
    }
  }
}

For Cursor, add to .cursor/mcp.json:

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-filesystem",
        "/Users/yourname/projects"
      ]
    }
  }
}

Available Tools

The official filesystem server exposes these tools:

Tool	Description	Parameters
`read_file`	Read complete contents of a file	`path` (string)
`read_multiple_files`	Read several files at once	`paths` (string[])
`write_file`	Create or overwrite a file	`path`, `content`
`edit_file`	Make selective edits with diff-style changes	`path`, `edits`, `dryRun`
`create_directory`	Create a new directory (with parents)	`path`
`list_directory`	List files and subdirectories	`path`
`directory_tree`	Get recursive tree structure	`path`
`move_file`	Move or rename a file	`source`, `destination`
`search_files`	Recursively search by filename pattern	`path`, `pattern`
`get_file_info`	Get file metadata (size, dates, permissions)	`path`
`list_allowed_directories`	Show which directories are accessible	(none)

Security Features

The official server implements several security measures:

Directory sandboxing: Only directories passed as command-line arguments are accessible
Path traversal prevention: Attempts to use ../ to escape allowed directories are blocked
Symlink resolution: Symbolic links are resolved and checked against the allowlist
No hidden file exposure by default: Standard glob patterns skip hidden files unless explicitly requested
Atomic write operations: File writes use temporary files to prevent corruption

Document MCP Servers

Beyond basic filesystem access, several MCP servers specialize in document processing -- handling PDFs, Office documents, images, and structured data formats.

PDF and Office Document Servers

Server	Language	Capabilities	Best For
`markitdown-mcp`	Python	Converts PDF, DOCX, PPTX, XLSX, images to Markdown	Universal document conversion
`mcp-server-pdf`	TypeScript	PDF text extraction, page-level access	PDF-focused workflows
`pandoc-mcp`	Python	Document format conversion via Pandoc	Format transformation
`mcp-server-docling`	Python	Advanced document understanding, table extraction	Complex document analysis

markitdown-mcp Deep Dive

The markitdown-mcp server, maintained by Microsoft, is one of the most versatile document servers. It converts virtually any document format to Markdown that AI models can process:

# Install and run
pip install markitdown-mcp
python -m markitdown_mcp --allowed-dir /path/to/documents

Supported formats include:

PDF files (with text extraction and basic layout preservation)
Microsoft Word (.docx)
Microsoft PowerPoint (.pptx) -- extracts slide content and speaker notes
Microsoft Excel (.xlsx) -- converts tables to Markdown tables
Images (JPEG, PNG) -- extracts EXIF data, and with optional LLM integration, provides image descriptions
HTML files
CSV and JSON files
ZIP archives (processes contents)

Configuration Example for Document Workflows

A comprehensive document processing setup might combine multiple servers:

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-filesystem",
        "/Users/yourname/projects"
      ]
    },
    "documents": {
      "command": "python",
      "args": [
        "-m",
        "markitdown_mcp",
        "--allowed-dir",
        "/Users/yourname/documents"
      ]
    }
  }
}

Security Considerations for Local File Access

Giving an AI application access to your local files demands careful security planning. Here are the essential practices to follow.

Principle of Least Privilege

Always grant the minimum access necessary:

Scope directories narrowly: Instead of /Users/yourname, allow only /Users/yourname/projects/current-project
Use read-only mode when possible: If the AI only needs to analyze files, do not grant write access
Separate concerns: Use different server instances for different security contexts

Path Traversal and Escape Prevention

The official filesystem server prevents path traversal, but when evaluating third-party servers, verify these protections:

# Good: Server validates all paths against allowed directories
def validate_path(requested_path: str, allowed_dirs: list[str]) -> bool:
    resolved = os.path.realpath(requested_path)
    return any(
        resolved.startswith(os.path.realpath(allowed))
        for allowed in allowed_dirs
    )

# Bad: Server trusts user input without validation
def read_file(path: str) -> str:
    return open(path).read()  # DANGEROUS - no validation

Sensitive File Exclusion

Configure your server to exclude sensitive files:

.env files containing API keys and secrets
SSH keys and certificates (~/.ssh/)
Browser profiles and cookies
Password databases
Private keys and credentials

Some servers support exclusion patterns:

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-filesystem",
        "/Users/yourname/projects"
      ],
      "env": {
        "MCP_FS_EXCLUDE_PATTERNS": "**/.env,**/*.pem,**/*.key,**/node_modules"
      }
    }
  }
}

Audit Logging

For enterprise deployments, enable logging to track all file operations:

What files were read and when
What files were written or modified
What searches were performed
Which AI session initiated each operation

This creates an audit trail essential for compliance requirements.

Comparison of Filesystem and Document Servers

The following table compares the major filesystem and document MCP servers available:

Server	Type	Language	Transport	Key Features	Maturity
`@modelcontextprotocol/server-filesystem`	Filesystem	TypeScript	stdio	Official reference, sandboxing, full CRUD	Stable
`markitdown-mcp`	Document	Python	stdio	Multi-format conversion, Microsoft maintained	Stable
`mcp-server-pdf`	Document	TypeScript	stdio	PDF-specialized, page-level access	Stable
`mcp-server-docling`	Document	Python	stdio	Advanced document understanding	Beta
`mcp-server-filesystem-py`	Filesystem	Python	stdio	Python alternative, async operations	Community
`pandoc-mcp`	Document	Python	stdio	Pandoc-powered format conversion	Community
`mcp-server-google-drive`	Cloud Files	TypeScript	stdio	Google Drive integration	Community
`mcp-server-s3`	Cloud Files	TypeScript	stdio	AWS S3 bucket access	Community

Selection Criteria

Choose your filesystem or document server based on these factors:

Use case: General file management vs. document processing vs. cloud storage
Language ecosystem: Match your development stack (Node.js vs. Python)
Security requirements: Official servers have undergone more security review
Format support: Ensure the server handles your document types
Performance needs: Local stdio is fastest; remote SSE adds latency

Common Workflows and Use Cases

Software Development

The most common use case for filesystem MCP servers is software development. Developers connect their project directory to an AI assistant, enabling:

Code review: The AI reads source files and provides feedback
Refactoring: The AI reads existing code, understands the structure, and writes updated files
Documentation generation: The AI reads code and creates documentation files
Bug investigation: The AI searches through files to locate issues

Document Analysis

Document MCP servers enable powerful analytical workflows:

Contract review: Load PDF contracts and have the AI extract key terms, dates, and obligations
Research synthesis: Process multiple academic papers and generate summaries
Data extraction: Convert spreadsheets and reports to structured data
Content migration: Transform documents between formats for CMS ingestion

Knowledge Base Construction

Combining filesystem servers with vector database MCP servers enables building knowledge bases:

The filesystem server reads documents from a source directory
A document processing server converts them to text
The AI chunks and embeds the content
A vector database server stores the embeddings for RAG applications

Advanced Configuration

Multi-Directory Setup with Different Permissions

You can run multiple filesystem server instances with different permission levels:

{
  "mcpServers": {
    "project-files": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-filesystem",
        "/Users/yourname/projects/current-project"
      ]
    },
    "reference-docs": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-filesystem",
        "/Users/yourname/reference-docs"
      ],
      "env": {
        "MCP_FS_READ_ONLY": "true"
      }
    }
  }
}

Environment Variables

The official filesystem server supports several environment variables for configuration:

Variable	Description	Default
`MCP_FS_READ_ONLY`	Restrict to read-only operations	`false`
`MCP_FS_MAX_FILE_SIZE`	Maximum file size to read (bytes)	`10485760` (10MB)
`MCP_FS_FOLLOW_SYMLINKS`	Whether to follow symbolic links	`true`
`MCP_FS_EXCLUDE_PATTERNS`	Comma-separated glob patterns to exclude	(none)

Integration with Version Control

Filesystem MCP servers pair naturally with version control servers. A typical development setup includes:

Filesystem server for reading and writing project files
Git/GitHub server for commits, branches, and pull requests
Developer tools server for linting, testing, and building

This combination gives the AI a complete development environment. See our software development guide for detailed workflow examples.

Troubleshooting Common Issues

"Permission Denied" Errors

If the server cannot access a file:

Verify the directory is included in the allowed directories list
Check filesystem permissions (ls -la on macOS/Linux)
Ensure the process running the MCP server has adequate OS-level permissions
On macOS, check if the terminal or IDE has Full Disk Access in System Settings

"File Not Found" When File Exists

This usually indicates a path resolution issue:

Use absolute paths, not relative paths
Check for case sensitivity (especially on Linux)
Verify symlinks resolve to allowed directories
Ensure the file is not excluded by a pattern filter

Large File Handling

When working with large files:

The AI's context window is the practical limit, not the server's capability
Use read_file with line range parameters if supported
For very large codebases, prefer search_files over directory_tree
Consider using a specialized search server (like ripgrep MCP) for large repositories

Server Startup Failures

If the server fails to start:

Verify Node.js is installed (node --version -- requires 18+)
Check that all allowed directories exist
Look for port conflicts if using SSE transport
Review server logs (typically stderr) for specific error messages

Building a Custom Filesystem Server

If the official server does not meet your needs, you can build a custom filesystem MCP server. Here is a minimal example in Python:

from mcp.server import Server
from mcp.types import Tool, TextContent
import os

app = Server("custom-filesystem")
ALLOWED_DIRS = ["/path/to/allowed"]

def validate_path(path: str) -> str:
    resolved = os.path.realpath(path)
    if not any(resolved.startswith(os.path.realpath(d)) for d in ALLOWED_DIRS):
        raise ValueError(f"Access denied: {path} is outside allowed directories")
    return resolved

@app.list_tools()
async def list_tools():
    return [
        Tool(
            name="read_file",
            description="Read a file's contents",
            inputSchema={
                "type": "object",
                "properties": {
                    "path": {"type": "string", "description": "File path to read"}
                },
                "required": ["path"]
            }
        )
    ]

@app.call_tool()
async def call_tool(name: str, arguments: dict):
    if name == "read_file":
        safe_path = validate_path(arguments["path"])
        with open(safe_path, "r") as f:
            content = f.read()
        return [TextContent(type="text", text=content)]

See our Python MCP server tutorial for a complete walkthrough of building custom MCP servers.

Google Drive and Cloud Storage MCP Servers

Beyond local file access, several MCP servers provide access to cloud-hosted files and documents.

Google Drive MCP Server

The Google Drive MCP server connects AI applications to files stored in Google Drive:

{
  "mcpServers": {
    "google-drive": {
      "command": "npx",
      "args": ["-y", "mcp-server-google-drive"],
      "env": {
        "GOOGLE_CLIENT_ID": "your_client_id",
        "GOOGLE_CLIENT_SECRET": "your_client_secret",
        "GOOGLE_REFRESH_TOKEN": "your_refresh_token"
      }
    }
  }
}

Available Tools:

Tool	Description
`search_files`	Search Drive files by name, type, or content
`read_file`	Read the contents of a Drive file
`list_files`	List files in a folder
`create_file`	Create a new file in Drive
`export_file`	Export Google Docs/Sheets to other formats

Use Cases:

Accessing shared team documents from AI conversations
Analyzing spreadsheets stored in Google Sheets
Creating draft documents in Google Docs format
Searching across a company's shared drives for information

AWS S3 MCP Server

For organizations using Amazon S3 for file storage:

{
  "mcpServers": {
    "s3": {
      "command": "npx",
      "args": ["-y", "mcp-server-s3"],
      "env": {
        "AWS_ACCESS_KEY_ID": "your_key",
        "AWS_SECRET_ACCESS_KEY": "your_secret",
        "AWS_REGION": "us-east-1",
        "S3_BUCKET": "your-bucket-name"
      }
    }
  }
}

This provides tools for listing objects, reading file contents, uploading files, and managing bucket operations -- all through the standardized MCP interface.

OneDrive and SharePoint

Enterprise organizations using Microsoft 365 can leverage OneDrive and SharePoint MCP servers to access corporate file shares, team sites, and document libraries through AI assistants.

Real-World Implementation Patterns

Pattern 1: AI-Powered Documentation System

Organizations can build AI documentation systems using filesystem and document MCP servers together:

Documentation Workflow:

1. Source Files (Filesystem MCP)
   └── Read Markdown docs, code files, README files

2. Document Conversion (markitdown MCP)
   └── Convert PDFs, Word docs to Markdown

3. AI Processing
   └── Index, summarize, cross-reference

4. Output (Filesystem MCP)
   └── Write generated documentation, indexes, summaries

This pattern enables automated documentation that stays synchronized with your codebase and reference materials.

Pattern 2: Compliance Document Processing

For regulated industries, filesystem and document servers enable automated compliance workflows:

Ingestion: Document server reads compliance documents (policies, procedures, regulations)
Analysis: AI identifies gaps between your policies and regulatory requirements
Reporting: Filesystem server writes gap analysis reports
Tracking: Combined with a database server, changes are tracked over time

Pattern 3: Content Migration Pipeline

When migrating content between systems (CMS migration, format conversion), MCP servers automate the process:

Read source content from the old system's file format
Convert documents to the target format using document processing servers
Apply transformations (update links, reformat metadata)
Write the converted content to the new system's directory structure

Performance Benchmarks and Optimization

Understanding filesystem server performance helps you configure optimal settings:

Read Performance

Operation	Files	Average Latency	Notes
`read_file` (small)	< 10KB	5-15ms	Negligible overhead
`read_file` (medium)	10KB-1MB	15-50ms	Most source code files
`read_file` (large)	1MB-10MB	50-500ms	Large data files
`read_multiple_files`	10 files	30-100ms	Batched reads more efficient
`search_files`	1K files	100-500ms	Pattern-dependent
`search_files`	10K files	500ms-2s	Consider ripgrep for large repos
`directory_tree`	100 entries	50-150ms	Recursive listing
`directory_tree`	10K entries	1-5s	Use targeted search instead

Write Performance

Write operations include additional safety overhead (path validation, atomic writes):

Operation	Size	Average Latency
`write_file` (new)	< 10KB	10-30ms
`write_file` (overwrite)	< 10KB	15-40ms
`edit_file` (diff)	Small diff	20-50ms
`create_directory`	Single	5-15ms
`move_file`	Same volume	5-20ms

Optimization Recommendations

Use read_multiple_files instead of sequential read_file calls -- the batched operation reduces protocol overhead
Prefer search_files with narrow patterns over broad directory_tree scans
Limit directory depth when using directory_tree on large repositories
Exclude node_modules, .git, and build directories from allowed paths when they are not needed
Use document conversion servers asynchronously -- convert large documents ahead of time rather than on demand

Comparison: Local vs. Cloud File Access

Aspect	Local Filesystem MCP	Cloud Storage MCP
Latency	Minimal (local I/O)	Network-dependent (50-500ms)
Security	OS-level permissions	API key/OAuth, network exposure
File Size	Limited by disk space	Limited by API and quotas
Concurrency	Excellent	Rate-limited by provider
Offline Access	Full	None
Collaboration	Single user (without sync)	Multi-user, versioned
Best For	Development, local analysis	Team documents, shared data

For more on local vs. remote server architecture, see our Local vs Remote MCP Servers guide.

File Watching and Change Detection

For workflows that require real-time awareness of file changes, some filesystem MCP servers support file watching capabilities. These enable AI assistants to monitor directories for modifications and react to changes as they happen.

Use Cases for File Watching

Live documentation updates: Detect when source code changes and regenerate documentation
Build trigger integration: Monitor configuration files and alert when critical settings change
Content pipeline automation: Watch a dropbox folder for new documents and process them through the document conversion pipeline
Compliance monitoring: Detect unauthorized changes to regulated files and flag them immediately

Implementing Change Detection Workflows

Even without native file watching, you can build effective change detection by combining filesystem server capabilities with periodic polling:

Scheduled workflow (every 5 minutes):

1. (Filesystem) directory_tree("/docs/") → get current state
2. Compare with cached previous state
3. For each changed file:
   a. (Filesystem) read_file(changed_file)
   b. Process the change (re-index, re-convert, re-validate)
   c. Log the change with timestamp and file hash
4. Update cached state for next comparison

This approach works well for content management, knowledge base maintenance, and compliance monitoring workflows where near-real-time detection is sufficient.

Document Versioning and Comparison

When working with documents that evolve over time, filesystem and document MCP servers enable powerful versioning and comparison workflows.

Comparing Document Versions

AI assistants can use filesystem servers to compare different versions of documents:

Comparison Type	Method	Best For
Text diff	Read both versions and compare line by line	Code files, markdown documents
Semantic comparison	Read both versions and summarize differences	Contracts, policies, long-form content
Structural comparison	Compare headings, sections, and overall organization	Technical documentation, reports
Data comparison	Extract tables from both versions and compare values	Spreadsheets, financial reports

Version Control for Non-Code Documents

While Git excels at code versioning, many document types benefit from AI-assisted versioning through filesystem servers:

User: "Compare the current version of our privacy policy
       with the version from January and summarize changes"

Claude's workflow:
1. (Filesystem) read_file("policies/privacy-policy-current.md")
2. (Filesystem) read_file("policies/archive/privacy-policy-2026-01.md")
3. Compare the two versions section by section
4. Generate a change summary:
   - Added sections: "AI Data Processing" (new section 7)
   - Modified sections: Data Retention (period changed from 2 to 3 years)
   - Removed sections: None
   - Impact assessment: Changes affect GDPR compliance documentation

This workflow is especially valuable for legal, compliance, and policy teams who need to track document changes without requiring all team members to learn version control systems.