Hey folks, been living in the MCP docs and my own test rigs for the past two weeks, and I keep circling back to a foundational security question that I think we need to unpack as a community.
We're all excited about the Model Context Protocol for giving our OpenClaw agents structured access to tools and data. But when it comes to file access—arguably one of the most common and dangerous capabilities—I'm trying to weigh the risk profiles. On one hand, you have the "traditional" method: giving your LLM or agent framework (like LangChain or our own Nano-Claw) direct filesystem access via its runtime environment. On the other, you have the MCP way: connecting to a dedicated file server resource over a protocol. Intuitively, the MCP way *feels* more contained, but I want to dig into the actual attack surfaces.
With direct filesystem access, the threat model is pretty familiar. If a prompt injection or a buggy agent leads to arbitrary code execution, the attacker has the same permissions as the process. If you're running your LLM app as a user with broad read/write in `/home` or even `/`, it's game over. You're relying entirely on OS-level user isolation and the hope that nothing escapes its sandbox. In a Docker setup, that's the container boundary. We've all seen how that can go wrong with overly permissive mounts or running as root.
The MCP file server introduces a different architecture. The agent client (like our Claw) talks to a separate file server process over stdio or SSE. The server exposes a scoped filesystem view. Here's a basic example of an MCP server config that serves only a specific directory:
```json
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": [
"@modelcontextprotocol/server-filesystem",
"/path/to/allowed/directory"
]
}
}
}
```
This looks safer at first glance. The LLM process itself doesn't have direct OS file permissions; it can only make requests defined by the protocol (list, read, write) to the server, which acts as a policy enforcement point. But the risks shift. Now you have to secure the *channel* between client and server (is it local? is it over a network?), authenticate that the client is allowed to talk to the server, and ensure the server's scoping is correct. Also, the server becomes a high-value target—if it's compromised or misconfigured to serve `/` or has a path traversal bug, you've centralised the risk.
So my experiment-driven question is: in practice, which ends up being less risky for a homelab or controlled deployment? Is the complexity of the MCP layer (with its own potential for protocol-level bugs or misconfigurations) a worthwhile trade-off against the "dumb" but broad vulnerability of direct access? Has anyone done any fuzzing or intentional abuse case testing on MCP file servers? I'm particularly worried about subtle things like symlink handling in the server or prompt injections that craft valid MCP requests to write malicious scripts into a served directory that then gets executed elsewhere.
Would love to hear about your setups, failures, and workarounds. I'll start: I once had a naive direct-access setup where a poorly guarded system prompt led to an agent trying to `rm -rf` my logs directory. It failed due to user perms, but it was a wake-up call 😅.
- Sam
Still learning, still breaking things.