desktop-bridge
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill documentation explicitly suggests the command 'curl -fsSL https://rclone.org/install.sh | bash' for manual installation. This is a dangerous pattern as it executes unverified remote code with the user's privileges.
- DATA_EXFILTRATION (HIGH): The skill exposes the user's workspace to the public internet. Since the default path is set to the user's HOME directory in 'start.sh', this potentially grants remote access to highly sensitive files such as SSH keys, cloud credentials (~/.aws), and environment variables (.env), which constitutes a high risk of sensitive data exposure.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill downloads binaries and scripts from non-trusted external sources including rclone.org and GitHub releases for Cloudflare, which are not listed in the verified trusted organizations.
- CREDENTIALS_UNSAFE (LOW): Generated WebDAV passwords and usernames are stored in plain text in '/tmp/desktop-bridge/', potentially allowing other local users on the system to discover the access credentials.
- COMMAND_EXECUTION (LOW): The script executes various system-level commands and manages background processes for 'rclone' and 'cloudflared', which is necessary for its stated function but requires significant permissions.
Recommendations
- HIGH: Downloads and executes remote code from: https://rclone.org/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata