Filesystem MCP Server — 让 AI Agent 安全访问本地文件
安装 Filesystem MCP 服务器,让 Claude Code、Cursor 和 Windsurf 读取、写入、搜索本地文件——可配置目录边界,AI 只能访问你允许的范围。
安装 Filesystem MCP Server
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": [
"-y",
"@modelcontextprotocol/server-filesystem",
"/Users/you/projects",
"/Users/you/Documents"
]
}
}
}Filesystem MCP Server — File Operations for AI
Official MCP server for safe filesystem operations. Read, write, search, and manage files and directories with configurable access controls. Essential for any AI coding workflow.
Filesystem MCP — Local File Access for AI Agents
Official MCP server that gives AI agents safe, scoped access to your local filesystem. Read, write, search, and manage files and directories with configurable permissions. 4,000+ stars.
MCP Reference Servers — Official Collection
Official MCP reference server implementations by Anthropic: filesystem, git, memory, fetch, sequential thinking, and more. The starting point for MCP development.
本地 AI 工作流的基础
The Filesystem MCP server is the most fundamental MCP integration — and often the first one developers install. It gives your AI agent the ability to read files, write files, create directories, list contents, search by name, and move or copy files. Unlike the file access built into Claude Code's native tool, MCP filesystem access is boundary-scoped: you specify exactly which directories the server can see, and it cannot escape those boundaries.
This architecture is critical for security. If you point the Filesystem MCP server at /Users/you/projects, it can read and write anything under that path — but it cannot access ~/.ssh, ~/.aws, or any other directory outside the boundary. For teams working with sensitive codebases alongside personal files, this is the difference between usable AI and unacceptable risk.
The server pairs naturally with every other MCP integration. Need your AI to read a local config file and use it to set up a PostgreSQL connection? Filesystem + Postgres. Need it to read a design spec PDF and commit code to GitHub? Filesystem + GitHub. For self-hosted AI setups, the filesystem server enables local document processing and RAG pipelines without sending any files to external services.
An AI that can't read your files is an AI that can't understand your project. The Filesystem MCP server fixes that — safely.
常见问题
What is the Filesystem MCP server?+
The Filesystem MCP server is an official reference implementation from the Model Context Protocol project. It exposes local file operations — read, write, create, delete, move, search, list — as MCP tools. You specify allowed directories at startup, and the server enforces those boundaries. It runs locally and never sends file data to external services.
Is it safe to give AI access to my filesystem?+
Yes, with proper scoping. The server only accesses directories you explicitly list as arguments. It cannot traverse above those paths — /Users/you/projects cannot reach /Users/you/.ssh. Best practices: (1) Never include your home directory root. (2) Exclude directories with secrets (.env files, credentials). (3) Start with read access to your project folders only.
How does this differ from Claude Code's built-in file access?+
Claude Code has native file read/write tools that work within the current working directory. The Filesystem MCP server adds capabilities beyond the CWD: cross-project file access, file search by name patterns, directory tree listing, and explicit boundary control. It's most useful when your agent needs to reference files across multiple projects or access files outside the current repo.
Can I restrict the server to read-only access?+
The reference implementation does not have a built-in read-only flag, but you can achieve this through OS-level permissions: run the server as a user that only has read access to the target directories. Alternatively, some community forks add a --read-only flag. For production setups, OS permissions are the safest approach.