When building AI agents with CrewAI, you'll often need to give them access to the filesystem. Reading configuration files, writing reports, processing data - these are all common tasks. CrewAI provides built-in tools like FileReadTool and FileWriteTool for this purpose, but there's a problem: they have almost no security controls.
I've been working with CrewAI for a while now and this has always bothered me. An agent with access to FileReadTool in unrestricted mode can read any file on your system. Your .env files, SSH keys, credentials - everything is fair game. And while you can restrict the tool to a single file path during initialization, that's often not practical when your agent needs to work with multiple files.
That's why I created crewai-fs-plus, a drop-in replacement for CrewAI's filesystem tools with proper security controls built in.
The Problem with default tools
Looking at the official documentation, the FileReadTool has two modes: unrestricted (read anything) or restricted to a single file. There's no middle ground. No way to say "only read files in this directory" or "never touch .env files".
Consider this scenario: you have an agent that processes user-uploaded documents in /app/uploads/. With the default tools, there's nothing stopping a prompt injection attack from making the agent read /etc/passwd or ~/.ssh/id_rsa. The agent will happily comply.
How crewai-fs-plus solves this
The library introduces three layers of security that work together:
1. Base directory sandboxing
Every tool can be configured with a base_directory. All file operations are confined to this directory, and path traversal attempts are blocked:
from crewai_fs_plus import FileReadTool
reader = FileReadTool(base_directory="/app/uploads")
# This works
reader.run(file_path="document.pdf")
# This is blocked - can't escape the sandbox
reader.run(file_path="../../../etc/passwd")
The library resolves paths and checks that the final destination is still within the base directory. No amount of ../ tricks will let you escape.
2. Whitelist patterns
You can specify exactly which files the agent is allowed to access using glob patterns:
reader = FileReadTool(
base_directory="/app/data",
whitelist=["*.json", "*.csv", "reports/**/*.txt"]
)
Now the agent can only read JSON files, CSV files, and text files in the reports subdirectory. Everything else is denied.
3. Blacklist patterns
Sometimes it's easier to say what you don't want accessed. Blacklist patterns take precedence over whitelists:
reader = FileReadTool(
base_directory="/app",
blacklist=["*.env", "*secret*", "*.key", "*.pem"]
)
Even if a file would otherwise be allowed, matching a blacklist pattern blocks access.
More tools, more control
Beyond the security features, crewai-fs-plus also includes tools that CrewAI doesn't provide out of the box:
- FileDeleteTool: Safely delete files and directories with recursive deletion support
- DirectoryReadTool: List directory contents with pattern filtering
All tools share the same security configuration options. You can set up consistent access controls across your entire agent's filesystem operations.
Graceful error handling
When an operation fails or is blocked, the tools return descriptive error messages instead of raising exceptions. This is important for AI agents - they can understand and report the error rather than crashing:
Error: Access denied - path matches blacklist pattern '*.env'
Getting started
Installation is simple:
pip install crewai-fs-plus
The tools are designed as drop-in replacements. If you're already using CrewAI's filesystem tools, you can switch by just changing the import and adding your security configuration:
# Before
from crewai_tools import FileReadTool
# After
from crewai_fs_plus import FileReadTool
reader = FileReadTool(
base_directory="/app/data",
whitelist=["*.txt", "*.json"],
blacklist=["*secret*", "*.env"]
)
Why this matters
As AI agents become more capable, they also become more dangerous. An agent that can read and write files is incredibly useful, but it's also a significant security risk. Defense in depth is essential - you shouldn't rely solely on the LLM to "know" not to read sensitive files.
With crewai-fs-plus, you can give your agents the filesystem access they need while maintaining proper boundaries. The agent can do its job, but it can't accidentally (or maliciously) access files it shouldn't.
If you're building CrewAI agents that interact with the filesystem, I'd encourage you to give it a try. The library is open source on GitHub and available on PyPI.