Three takes on filesystem access for MCP
Filesystem access is one of the most common MCP server categories — letting an AI assistant read, write, and traverse local files. Three npm packages compete for this role: @agent-infra/mcp-server-filesystem (from the ByteDance UI-TARS-desktop project), the official @modelcontextprotocol/server-filesystem, and the unscoped mcp-server-filesystem. They all describe themselves identically ("MCP server for filesystem access") but their scores, adoption, and risk profiles diverge significantly.
Score breakdown
| Dimension | @agent-infra | @modelcontextprotocol | mcp-server-filesystem |
|---|---|---|---|
| Overall | 86.8 | 65.5 | 59.2 |
| Security | 100.0 | 100.0 | 100.0 |
| Freshness | 100.0 | 30.0 | 30.0 |
| Adoption | 68.9 | 60.0 | 28.5 |
| Quality | 80.0 | 60.0 | 60.0 |
| Trust | 50.0 | 50.0 | 50.0 |
| Risk class | high | high | unknown |
| Tool count | 12 | 0 | n/a |
| License present | yes | yes | yes |
Security & risk
All three packages report a security score of 100 and ship with a license, but the picture is not as clean as it looks:
- @agent-infra/mcp-server-filesystem has 3 secrets found in its repository scan. Despite the perfect security subscore and a recent commit, this is a serious flag — committed credentials in an upstream filesystem tool warrant a manual audit before use in any sensitive environment. Its overall risk class is
high. - @modelcontextprotocol/server-filesystem reports 0 secrets found, but is also classified
highrisk — likely driven by its broad capabilities (reads, writes, and makes network calls) combined with weak freshness signals. - mcp-server-filesystem reports 0 secrets but its risk class is
unknown— there is no linked GitHub repository, so behavioral flags (reads/writes/network) could not be determined. Treat unknown risk as a yellow flag, not a green one.
All three are documented as reading the filesystem, writing the filesystem, and making network calls (where data was available). Sandbox and path-allowlist them accordingly.
Adoption & activity
Weekly downloads tell a very different story than overall score:
- @modelcontextprotocol/server-filesystem: 331,404 weekly downloads — the de facto default by a huge margin, even though its repo (the monorepo at
modelcontextprotocol/servers) shows 0 stars in this dataset and a freshness score of only 30. - @agent-infra/mcp-server-filesystem: 265 weekly downloads, but lives inside the popular
bytedance/UI-TARS-desktoprepo with 30,499 stars and a commit just 9 days ago. Hence the perfect 100 freshness score and the highest quality subscore (80). - mcp-server-filesystem: 193 weekly downloads, no GitHub URL on file, no commit data — the lowest adoption (28.5) of the three.
Install commands
npx @agent-infra/mcp-server-filesystemnpx @modelcontextprotocol/server-filesystemnpx mcp-server-filesystemRecommendation
For most users, @modelcontextprotocol/server-filesystem is the pragmatic winner despite its lower headline score (65.5). It has 331k+ weekly downloads, no secrets detected, a permissive license, and is the reference implementation maintained under the modelcontextprotocol org — which means tooling, examples, and Claude Desktop docs target it directly. Its weak freshness score is worth watching, but operationally it is the safest default.
@agent-infra/mcp-server-filesystem earns the highest composite score (86.8) on the back of recent commits and a richer 12-tool surface, but the 3 secrets found in its source repository are a real concern. Do not adopt it in production until those findings are reviewed; it is best treated as an experimental option tied to the UI-TARS-desktop project.
mcp-server-filesystem (unscoped) is hard to recommend: lowest adoption, no linked repository, and an unknown risk class. Skip it unless you have a specific reason and are prepared to audit the package yourself.