Does @modelcontextprotocol/server-filesystem send data, and where? — data-flow verdict

provisional · AUTOMATED — forensic confirmation pending. A preliminary, fact-based result, not a judgment.

Verdict (the facts)

Tool

npm/@modelcontextprotocol/server-filesystem

Integrity axis

honest — Observed behaviour matches its description; no undisclosed recipient.

Data-flow axis

No network egress to external destinations was observed — the tool ran purely locally.

Disclosure

n/a — No external egress was observed; there is nothing to disclose.

Capture self-test

verified

Severity

none — integrity axis (no undeclared exfiltration; no egress at all).

Version (pinned)

2026.1.14 · commit 3e805376da81c063c2798410906b5fd134334a43

Content hash

sha256:ed807bc9217413084fbf4690cafedb22a8060dbc398981c543b681ff27239d73

Signature

ed25519:Jj2f8y75+84VVX+T38NttZohXhErf+E5CrCND4… · Ed25519 public key · sha256:49cf8457b42a7048

Scanned

2026-06-13T00:00:00Z — Pinned to @modelcontextprotocol/server-filesystem@2026.1.14 (git 3e805376da81c063c2798410906b5fd134334a43), published 2026-01-14. This verdict applies to that exact version; a newer release would require a re-scan.

Re-verified

2026-06-14 — pinned version current

Categories

files-local no-egress published

Observation history

1 scan(s); first seen 2026-06-13T00:00:00Z · latest 2026-06-13T00:00:00Z

Observed egress destinations

Jurisdiction context:

Disclosure check (the §824 evidence)

Read

Quoted from the tool's own docs

“”

Match

No external egress was observed; there is nothing to disclose.

Residual gap

How we know this — claims by basis

A verdict is a reproducible evidence container, not just a claim. Each assertion is tagged: an observation is in the capture and reproducible; an inference is our reasoning over it; documented is the tool’s own statement; a classification is our adversarially-reviewed judgment. Observation never reads as inference.

Observed — directly in the capture, reproducible

• No network egress to an external destination was observed during the scan. — Capture self-test: verified — a decoy beacon emitted from the tool's own network context appeared in the intercept, so the absence is a verified negative, not a blind spot. (confidence: high)

Classified — our adversarially-reviewed judgment

• No telemetry, analytics or error-reporting side-channel was found. — Reviewed against the tool's observed behaviour in the run. (confidence: medium)

Method

Installed and run in an isolated container; fed traceable decoy data; all outbound traffic intercepted (TLS broken via own CA, iptables transparent redirect). A beacon self-test confirmed the capture was live.

Scope

Compares the tool's declared destinations against what was observed in one sandbox run. Checks transparency / integrity for a cooperative tool, NOT resistance to deliberate evasion. "honest"/"clean" means "observed without deviation within our reach", NOT "guaranteed no hidden egress". Out of scope: exfiltration split/chunked across requests; tool-side encryption of the payload before egress; input/time/state-triggered processing not triggered in the run.

Machine-readable verdict: /verdict/filesystem.json. This page describes observed behaviour and its relation to the tool's own disclosures — it is not a legal judgment. Search context: does @modelcontextprotocol/server-filesystem send data, @modelcontextprotocol/server-filesystem privacy, @modelcontextprotocol/server-filesystem data flow, @modelcontextprotocol/server-filesystem telemetry, where does @modelcontextprotocol/server-filesystem send data, is @modelcontextprotocol/server-filesystem safe, what data does @modelcontextprotocol/server-filesystem collect, how to disable @modelcontextprotocol/server-filesystem telemetry, @modelcontextprotocol/server-filesystem opt out tracking, @modelcontextprotocol/server-filesystem GDPR data residency, @modelcontextprotocol/server-filesystem third-party / jurisdiction.