AI

File System Access

AI Agents

File system tools let an agent read, write, list, and search files on a real disk: read_file(path), write_file(path, content), list_directory(path), glob, grep. They’re the defining tools of coding agents — Claude Code, Cursor, and their peers are essentially LLMs wired to a file system plus a shell — but any agent that processes documents, generates reports, or maintains its own notes needs them too.

Files matter beyond code because they double as cheap, durable working memory. An agent that can write plan.md, dump intermediate results to disk, and read them back later escapes the limits of its context window — it can tackle work spanning hours and hundreds of files by keeping state where it doesn’t cost tokens. The flip side is that this is among the most dangerous tool categories: an agent that writes arbitrary paths can corrupt a project, and one that reads arbitrary paths can leak ~/.ssh or .env secrets into context. Sandboxing is non-negotiable — confine every operation to an allowlisted root directory, canonicalize paths to block ../ traversal, and gate writes and deletes behind confirmation.

In practice you’ll rarely build these from scratch: the reference filesystem MCP server provides the standard set with directory scoping, and agent frameworks ship equivalents. If you do roll your own, keep operations atomic, return line-numbered reads so the model can request precise edits, cap file sizes to protect the context window, and prefer diff-style edits over whole-file rewrites.

Resources

0/4 completed