rustdesk-doctor
Fail
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell interpolation to insert user-provided arguments (IP addresses or domains) directly into command strings such as
route -n get <服务器IP>andssh -o ConnectTimeout=10 root@$SERVER. If the input is not strictly validated, an attacker could provide a malicious string (e.g.,1.2.3.4; rm -rf /) to execute arbitrary commands on the local system. - [REMOTE_CODE_EXECUTION]: The diagnostic process involves SSHing into a remote server as the root user to execute a multi-line script. This script performs high-privilege operations including container inspection (
docker ps,docker logs), network monitoring (tcpdump), and reading sensitive files (/root/id_ed25519.pub). This pattern represents significant remote execution surface area. - [DATA_EXFILTRATION]: The skill reads local RustDesk configuration files (
RustDesk2.toml,RustDesk_local.toml) and logs (RustDesk_rCURRENT.log). These files can contain sensitive information such as unique connection IDs, server configurations, and potentially security tokens or metadata that could be exposed during the diagnostic process. - [EXTERNAL_DOWNLOADS]: Automated scans detected use of
curlpiped topython3. Analysis shows this is used to query a local Mihomo (Clash) Unix socket and parse JSON output via a static Python script. While used for local configuration inspection, piping network-utility output directly to an interpreter is a high-risk pattern if the source service can be manipulated.
Recommendations
- HIGH: Downloads and executes remote code from: http://localhost/rules, http://localhost/configs, http://localhost/connections - DO NOT USE without thorough review
Audit Metadata