desktop-commander-mcp
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill exposes tools like start_process and interact_with_process that allow for arbitrary shell command execution (e.g., bash). The documentation explicitly notes that directory restrictions (allowedDirectories) do not apply to these terminal commands.\n- [REMOTE_CODE_EXECUTION] (HIGH): By combining the read_file tool's URL fetching capability (isUrl: true) with process execution tools, the skill enables an agent to download and run arbitrary code from untrusted external sources.\n- [DATA_EXFILTRATION] (HIGH): The agent's ability to read local files (including sensitive paths like SSH keys or environment configs) and execute network-capable commands via the shell allows for direct exfiltration of user data.\n- [PROMPT_INJECTION] (HIGH): The skill presents a high risk for indirect prompt injection. 1. Ingestion points: read_file (URLs and files), start_search (content). 2. Boundary markers: Absent. 3. Capability inventory: start_process, interact_with_process, write_file, edit_block, kill_process, set_config_value. 4. Sanitization: Absent. Malicious instructions in external data could hijack these tools to compromise the system.
Recommendations
- AI detected serious security threats
Audit Metadata