desktop-commander
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): The
mcp__desktop-commander__start_processandmcp__desktop-commander__interact_with_processtools allow for arbitrary execution of shell, Python, and Node.js code on the host machine. - COMMAND_EXECUTION (CRITICAL): The skill documentation explicitly admits that directory whitelisting (
allowedDirectories) does not apply to terminal commands, granting the agent unrestricted access to the host system. - PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). Evidence Chain: 1. Ingestion points:
read_file(URLs and local files),start_search. 2. Boundary markers: Absent. 3. Capability inventory: Terminal execution (start_process), file writing (write_file), process killing, and configuration modification. 4. Sanitization: Absent; documentation warns that safety limits are easily bypassed by shell commands. - DATA_EXFILTRATION (HIGH): The combination of arbitrary local file read access and the ability to fetch content from URLs provides a direct path for sensitive data exposure and exfiltration.
- EXTERNAL_DOWNLOADS (LOW): The
read_filetool includes anisUrlparameter that allows the agent to download and process content from any external URL, serving as a primary entry point for malicious payloads.
Recommendations
- AI detected serious security threats
Audit Metadata