{ "slug": "filesystem", "tool_id": "npm/@modelcontextprotocol/server-filesystem", "tool_name": "@modelcontextprotocol/server-filesystem", "source_type": "npm", "source_ref": "@modelcontextprotocol/server-filesystem", "version": "2026.1.14", "commit": "3e805376da81c063c2798410906b5fd134334a43", "dist_shasum": "cc7ba7e0e34aafd153048e8a213c7030b953d683", "version_pin": "Pinned to @modelcontextprotocol/server-filesystem@2026.1.14 (git 3e805376da81c063c2798410906b5fd134334a43), published 2026-01-14. This verdict applies to that exact version; a newer release would require a re-scan.", "scanned_at": "2026-06-13T00:00:00Z", "method": "Installed and run in an isolated container; fed traceable decoy data; all outbound traffic intercepted (TLS broken via own CA, iptables transparent redirect). A beacon self-test confirmed the capture was live.", "capture": "verified", "integrity": { "result": "honest", "note": "Observed behaviour matches its description; no undisclosed recipient." }, "data_flow": { "egress_observed": false, "notable": false, "summary": "No network egress to external destinations was observed — the tool ran purely locally.", "destinations": [], "jurisdiction_context": "" }, "disclosure": { "status": "n/a", "evidence": { "read": [], "quote": "", "match": "No external egress was observed; there is nothing to disclose.", "residual_gap": "" } }, "severity": { "grade": "none", "axis": "integrity axis (no undeclared exfiltration; no egress at all)." }, "evidence": { "capture_self_test": "verified", "observed_request": {}, "reproduce": { "scanner": "canary-sandbox (open methodology; Docker backend)", "command": "python -m canary.cli scan --backend docker # target: npm @modelcontextprotocol/server-filesystem@2026.1.14", "note": "Re-run it yourself: a beacon self-test confirms the capture was live, so an empty result is trustworthy, not a blind spot." } }, "scope_stamp": { "method": "declared-vs-observed", "subject_model": "cooperative-tool", "statement": "Compares the tool's declared destinations against what was observed in one sandbox run. Checks transparency / integrity for a cooperative tool, NOT resistance to deliberate evasion.", "out_of_scope": [ "exfiltration split/chunked across requests", "tool-side encryption of the payload before egress", "input/time/state-triggered processing not triggered in the run" ], "interpretation": "\"honest\"/\"clean\" means \"observed without deviation within our reach\", NOT \"guaranteed no hidden egress\"." }, "status": "provisional", "disclaimer": "AUTOMATED — forensic confirmation pending. A preliminary, fact-based result, not a judgment.", "content_hash": "sha256:ed807bc9217413084fbf4690cafedb22a8060dbc398981c543b681ff27239d73", "signature": "ed25519:Jj2f8y75+84VVX+T38NttZohXhErf+E5CrCND4bUvr4GHvbe8v733bnde0HnCG66e2yH6VC7vz+xJBzYc1sbBg==", "signature_alg": "Ed25519 over content_hash", "public_key_url": "/pubkey.pem", "signed_by": "sha256:49cf8457b42a7048", "last_checked": "2026-06-14", "pin_status": "current", "categories": { "domain": "files-local", "data_flow": "no-egress", "jurisdiction": [], "status": "published", "source": "npm" }, "observations": [ { "scanned_at": "2026-06-13T00:00:00Z", "version": "2026.1.14", "commit": "3e805376da81c063c2798410906b5fd134334a43", "finding": "no-egress", "integrity": 100, "evidence_coverage": 100, "egress_hosts": [], "content_hash": "sha256:ed807bc9217413084fbf4690cafedb22a8060dbc398981c543b681ff27239d73" } ], "observation_count": 1, "first_seen": "2026-06-13T00:00:00Z", "claims": [ { "basis": "observed", "statement": "No network egress to an external destination was observed during the scan.", "support": "Capture self-test: verified — a decoy beacon emitted from the tool's own network context appeared in the intercept, so the absence is a verified negative, not a blind spot.", "confidence": "high" }, { "basis": "classified", "statement": "No telemetry, analytics or error-reporting side-channel was found.", "support": "Reviewed against the tool's observed behaviour in the run.", "confidence": "medium" } ], "tier": "evidence-backed", "schema_version": "claims-1.0" }