MCP Filesystem Server

execute_command

Execute system commands with security validation to perform basic operations, capture output, and manage execution within time limits.

Instructions

Execute a system command with security restrictions. Validates commands for safety and provides detailed output. Limited to basic system operations with security checks.

Input Schema

TableJSON Schema

Name	Required	Description
`command`	Yes	The command to execute
`workingDir`	No	Working directory for command execution
`timeout`	No	Maximum execution time in milliseconds (max 30s)
`captureOutput`	No	Whether to capture and return command output

Implementation Reference

src/utils/exec/index.ts:96-149 (handler)

Primary handler function that performs command validation, executes the command using child_process.exec with timeout and cwd, captures stdout/stderr/exitCode, logs metrics.

export async function executeCommand(
  args: z.infer<typeof ExecuteCommandArgsSchema>,
  _config: Config
): Promise<{ stdout: string; stderr: string; exitCode: number }> {
  const endMetric = metrics.startOperation('execute_command')
  try {
    await logger.debug(`Executing command: ${args.command}`, { args })

    // Validate the command for security
    validateCommand(args.command)

    // Set working directory or use current directory
    const options = {
      cwd: args.workingDir || process.cwd(),
      timeout: args.timeout,
      encoding: 'utf-8' as const,
    }

    try {
      // Execute the command
      const { stdout, stderr } = await exec(args.command, options)
      await logger.debug(`Command executed successfully: ${args.command}`, {
        stdout: stdout.substring(0, 100) + (stdout.length > 100 ? '...' : ''),
      })

      endMetric()
      return {
        stdout,
        stderr,
        exitCode: 0,
      }
    } catch (error: any) {
      // Handle command execution errors
      const stderr = error.stderr || ''
      const stdout = error.stdout || ''
      const exitCode = error.code || 1

      await logger.warn(`Command execution failed: ${args.command}`, {
        exitCode,
        stderr: stderr.substring(0, 100) + (stderr.length > 100 ? '...' : ''),
      })

      endMetric()
      return {
        stdout,
        stderr,
        exitCode,
      }
    }
  } catch (error) {
    metrics.recordError('execute_command')
    throw error
  }
}

src/utils/exec/index.ts:44-57 (schema)

Zod schema defining the input parameters for the execute_command tool: command (required), workingDir (optional), timeout (optional, default 5000ms, max 30s), captureOutput (optional boolean).

 * Schema for execute_command arguments
 */
export const ExecuteCommandArgsSchema = z.object({
  command: z.string().describe('The command to execute'),
  workingDir: z.string().optional().describe('Working directory for command execution'),
  timeout: z
    .number()
    .int()
    .positive()
    .max(30000)
    .default(5000)
    .describe('Maximum execution time in milliseconds (max 30s)'),
  captureOutput: z.boolean().default(true).describe('Whether to capture and return command output'),
})

src/index.ts:348-353 (registration)

Tool registration in the list_tools response, defining name, description, and inputSchema converted from ExecuteCommandArgsSchema.

name: 'execute_command',
description:
  'Execute a system command with security restrictions. ' +
  'Validates commands for safety and provides detailed output. ' +
  'Limited to basic system operations with security checks.',
inputSchema: zodToJsonSchema(ExecuteCommandArgsSchema) as ToolInput,

src/index.ts:736-755 (handler)

MCP call_tool dispatcher case for 'execute_command': parses args with schema, calls the executeCommand implementation, formats response with stdout/stderr/exitCode.

case 'execute_command': {
  const parsed = ExecuteCommandArgsSchema.safeParse(a)
  if (!parsed.success) {
    throw new FileSystemError(`Invalid arguments for ${name}`, 'INVALID_ARGS', undefined, {
      errors: parsed.error.format(),
    })
  }

  const result = await executeCommand(parsed.data, config)

  endMetric()
  return {
    content: [
      {
        type: 'text',
        text: `Command execution completed with exit code: ${result.exitCode}\n\nSTDOUT:\n${result.stdout}\n\nSTDERR:\n${result.stderr}`,
      },
    ],
  }
}

src/utils/exec/index.ts:65-87 (helper)

Helper function to validate command safety: checks against forbidden substrings and safe regex pattern, throws FileSystemError if unsafe.

function validateCommand(command: string): boolean {
  // Check for forbidden commands
  if (FORBIDDEN_COMMANDS.some((forbidden) => command.includes(forbidden))) {
    throw new FileSystemError(
      `Command contains forbidden operations`,
      'FORBIDDEN_COMMAND',
      undefined,
      { command }
    )
  }

  // Validate command against safe pattern
  if (!SAFE_COMMAND_REGEX.test(command)) {
    throw new FileSystemError(
      `Command contains potentially unsafe characters`,
      'UNSAFE_COMMAND',
      undefined,
      { command }
    )
  }

  return true
}

Tool Definition Quality

B3.4/5.0

Behavior3/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden of behavioral disclosure. It adds value by mentioning security restrictions, validation for safety, and detailed output, which goes beyond the input schema. However, it lacks details on specific security measures, error handling, or output format, leaving gaps for a mutation tool.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is appropriately sized with three concise sentences that front-load key information (execution with security). Every sentence adds value, but minor redundancy ('security restrictions' and 'security checks') slightly reduces efficiency, preventing a perfect score.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (executing system commands with security) and no annotations or output schema, the description is partially complete. It covers purpose and security aspects but lacks details on return values, error cases, or specific limitations, making it adequate but with clear gaps for safe use.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, so the input schema fully documents all parameters. The description doesn't add any parameter-specific information beyond what's in the schema, such as examples or constraints. Thus, it meets the baseline of 3 without compensating further.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: 'Execute a system command with security restrictions.' It specifies the verb ('execute') and resource ('system command'), and distinguishes it from siblings like 'bash_execute' by mentioning security restrictions. However, it doesn't explicitly differentiate from 'bash_pipe' or other execution tools, keeping it at 4 rather than 5.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description implies usage context with phrases like 'Limited to basic system operations with security checks,' suggesting when to use it (for secure command execution). However, it doesn't explicitly state when not to use it or name alternatives like 'bash_execute' or 'bash_pipe,' leaving some ambiguity compared to explicit guidance.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/A-Niranjan/mcp-filesystem'

If you have feedback or need assistance with the MCP directory API, please join our Discord server