Problem
Native Read/Write tools respect file deny lists. MCP tools that perform file operations (e.g., mcp__filesystem__read_file) use their own access paths and may bypass the native deny list, allowing MCP servers to read credentials, .env files, and other sensitive data.
Workaround
I built cc-mcp-guard.py, a PreToolUse hook (~100 lines Python) that intercepts MCP file operations and blocks access to sensitive path patterns (.env, credentials, keys, auth-profiles.json, SSH keys, etc.) before execution.
Proposed Solution
Extend the existing file deny list to also apply to MCP tool file operations, or provide a dedicated tools.mcp.denyPaths config. MCP tools should not have broader file access than native tools.
Impact
Medium. Security gap — especially relevant as MCP adoption grows and more servers handle file I/O.
Environment
- OpenClaw 2026.4.10 (npm, macOS)
Problem
Native Read/Write tools respect file deny lists. MCP tools that perform file operations (e.g.,
mcp__filesystem__read_file) use their own access paths and may bypass the native deny list, allowing MCP servers to read credentials, .env files, and other sensitive data.Workaround
I built
cc-mcp-guard.py, a PreToolUse hook (~100 lines Python) that intercepts MCP file operations and blocks access to sensitive path patterns (.env, credentials, keys, auth-profiles.json, SSH keys, etc.) before execution.Proposed Solution
Extend the existing file deny list to also apply to MCP tool file operations, or provide a dedicated
tools.mcp.denyPathsconfig. MCP tools should not have broader file access than native tools.Impact
Medium. Security gap — especially relevant as MCP adoption grows and more servers handle file I/O.
Environment