vm0-computer

This VM0 Computer Connector skill is functionally coherent: it exposes a local HTTP/WebSocket proxy that forwards to VM0-managed remote services and requires a domain and bridge token. The behavior matches the stated purpose (read/write/list files via WebDAV and CDP proxying). However, it concentrates a powerful credential (COMPUTER_CONNECTOR_BRIDGE_TOKEN) inside a potentially untrusted sandbox and exposes a local unauthenticated proxy that any local process can use to access the user's filesystem. The runtime install (npm install ws) inside a transient sandbox is a supply-chain risk. Overall, the pattern is legitimate for its purpose but carries moderate-to-high supply-chain and credential-exposure risks and should only be used with strict operational controls: pin and audit dependencies, limit token scope/TTL, require user consent for each operation, and restrict which sandbox processes may access the local proxy.