Your Coding Agent Can Delete Any File on Disk

A developer warns that coding agents using the popular filesystem MCP server can delete or overwrite files without restrictions, as the server's 12 tools have no rate limits or confirmation steps. The developer introduces Intercept, a tool that enforces YAML-based policies to cap write operations at 30 per hour and moves at 15 per hour, preventing runaway agent loops.

Picture this. You ask your coding agent to "tidy up the config files." It interprets that broadly. It overwrites .env with what it thinks the defaults should be. It moves docker-compose.yml into a subdirectory that doesn't exist yet. It edits your SSH config. Fifteen seconds, twelve tool calls, and your local environment is wrecked. The agent didn't go rogue — it did exactly what it thought you wanted, with tools that let it do anything. The filesystem MCP server https://github.com/modelcontextprotocol/servers/tree/main/src/filesystem is one of the most popular MCP servers in the ecosystem. It ships 12 tools: Read tools — read text file , read multiple files , read media file , list directory , list allowed directories , get file info , search files , directory tree Write tools — write file , edit file , create directory , move file Out of the box, every one of those tools is unrestricted. An agent can call write file a thousand times in a minute. It can move file your entire project structure into a flat directory. There's no throttle, no confirmation step, no limit of any kind. The read tools are relatively safe — an agent scanning your codebase is doing its job. The write tools are where things go sideways. A single rogue loop https://policylayer.com/blog/ai-agent-goes-rogue calling write file can overwrite dozens of files before you notice. And unlike a database, your local filesystem has no rollback button. Intercept https://github.com/policyLayer/intercept sits between your agent and the filesystem server, enforcing a YAML policy on every tool call. Here's what the filesystem policy looks like: version: "1" description: "Policy for modelcontextprotocol/server-filesystem" default: "allow" tools: Read tools — no restrictions read text file: rules: read multiple files: rules: list directory: rules: Write tools — rate limited write file: rules: - name: "rate-limit-writes" rate limit: "30/hour" on deny: "Rate limit: max 30 file writes per hour" edit file: rules: - name: "rate-limit-writes" rate limit: "30/hour" on deny: "Rate limit: max 30 file edits per hour" move file: rules: - name: "rate-limit-moves" rate limit: "15/hour" on deny: "Rate limit: max 15 move/rename operations per hour" create directory: rules: - name: "rate-limit-writes" rate limit: "30/hour" on deny: "Rate limit: max 30 directory creations per hour" Global safety net " ": rules: - name: "global-rate-limit" rate limit: "120/minute" on deny: "Rate limit: max 120 tool calls per minute" The logic is straightforward. Read operations pass through freely. Write operations are capped at 30 per hour. Moves are tighter at 15 per hour — because renaming or relocating files is harder to undo. And a global rate limit of 120 calls per minute catches runaway loops regardless of tool type. These are deterministic policies https://policylayer.com/blog/deterministic-ai-agent-policies , not prompt-based suggestions. The agent doesn't get to negotiate. When it hits the limit, the call is blocked at the transport layer and never reaches the filesystem server. The agent receives the on deny message and can adjust its approach. Install Intercept and generate the filesystem policy: Install npm install -g @policylayer/intercept Generate the policy intercept scan -- npx -y @modelcontextprotocol/server-filesystem /path/to/allowed/dir The scan command connects to the filesystem server, discovers all 12 tools, and generates a policy YAML with sensible defaults — the same one shown above. Edit the limits to match your workflow. If you're doing a large refactor, bump write file to 100/hour. If you're running an agent overnight, drop it to 10. Then run with enforcement: intercept -c filesystem.yaml -- npx -y @modelcontextprotocol/server-filesystem /path/to/allowed/dir Every tools/call now passes through the policy engine. Reads flow through. Writes are counted. Limits are enforced. Your filesystem stays intact. The policy file is just YAML — version it alongside your code, share it across your team, adjust it per project. No SDK integration, no code changes, no runtime dependency in your agent.