touchdesigner-mcp
Fail
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The
scripts/setup.shfile downloads a TouchDesigner component (twozero.tox) from an external domainhttps://www.404zero.com/pisang/twozero.tox. This domain is not identified as a trusted vendor or well-known service. - [REMOTE_CODE_EXECUTION]: The
td_execute_pythontool allows for the execution of arbitrary Python code within the TouchDesigner environment. The documentation explicitly states it has unrestricted access to the filesystem and TD Python API. - [COMMAND_EXECUTION]: The
td_input_executetool allows the agent to simulate mouse and keyboard inputs on the host system. This capability, combined with arbitrary script execution, can be used to perform actions outside the intended scope of creative coding. - [DATA_EXFILTRATION]: The skill provides tools like
td_read_dat,td_read_chop, andtd_get_screenshotwhich can access internal project data and system state. Combined with thetd_execute_pythontool and network capabilities, these could be leveraged to exfiltrate sensitive information. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data (operator names, script content, and network metadata) from the TouchDesigner environment.
- Ingestion points:
td_read_dat(reads script code),td_get_network(reads operator names/types), andtd_get_operator_info(reads comments and parameters). - Boundary markers: Absent. The skill does not use delimiters or instructions to ignore embedded commands in the data it reads.
- Capability inventory: Includes
td_execute_python(RCE),td_write_dat(script modification), andtd_input_execute(system input simulation). - Sanitization: Absent. Data fetched from the TouchDesigner instance is interpolated directly into the context without validation.
Recommendations
- AI detected serious security threats
Audit Metadata