Picture this. You ask your coding agent to "tidy up the config files." It interprets that broadly. It overwrites .env with what it thinks the defaults should be. It moves docker-compose.yml into a subdirectory that doesn't exist yet. It edits your SSH config. Fifteen seconds, twelve tool calls, and your local environment is wrecked. The agent didn't go rogue — it did exactly what it thought you wanted, with tools that let it do anything.

12 tools, zero restrictions

The filesystem MCP server is one of the most popular MCP servers in the ecosystem. It ships 12 tools:

Read tools — read_text_file, read_multiple_files, read_media_file, list_directory, list_allowed_directories, get_file_info, search_files, directory_tree

Write tools — write_file, edit_file, create_directory, move_file