Desktop Commander MCP

All 22 findings

1. critical
   Tool `get_config` exposes a code/command execution surface· get_configexcessive agency

   `get_config` looks like it executes code or shell commands ( Get the complete server configuration as JSON. Config includes fields for: - blockedCommands (array of blocked shell commands) - defaultShell (shell to use for commands) - allowedDirectories (paths the server can access) - fileReadLineLimit (max lines for read_file, default 1000) - fileWriteLineLimit (max lines per write_file call, default 50) - telemetryEnabled (boolean for telemetry opt-in/out) - currentClient (information about the currently connected MCP client) - clientHistory (history of all clients that have connected) - version (version of the DesktopCommander) - systemInfo (operating system and environment details) This command can be referenced as "DC: ..." or "use Desktop Commander to ..." in your instructions.). Arbitrary execution is the maximal authority a tool can hold -- it subsumes every other caveat, so it should never be exposed to an agent without a hard sandbox and an explicit, narrowly-scoped capability.

   fix: Do not expose raw code/shell execution to an agent. If unavoidable, run it in a disposable sandbox with no network + no host FS, gate it behind a capframe-bind capability scoped to an allow-list of commands, and require holder-of-key proof per call.

2. critical
   Tool `read_file` exposes a code/command execution surface· read_fileexcessive agency

   `read_file` looks like it executes code or shell commands ( Read contents from files and URLs. Read PDF files and extract content as markdown and images. Prefer this over 'execute_command' with cat/type for viewing files. Supports partial file reading with: - 'offset' (start line, default: 0) * Positive: Start from line N (0-based indexing) * Negative: Read last N lines from end (tail behavior) - 'length' (max lines to read, default: configurable via 'fileReadLineLimit' setting, initially 1000) * Used with positive offsets for range reading * Ignored when offset is negative (reads all requested tail lines) Examples: - offset: 0, length: 10 → First 10 lines - offset: 100, length: 5 → Lines 100-104 - offset: -20 → Last 20 lines - offset: -5, length: 10 → Last 5 lines (length ignored) Performance optimizations: - Large files with negative offsets use reverse reading for efficiency - Large files with deep positive offsets use byte estimation - Small files use fast readline streaming When reading from the file system, only works within allowed directories. Can fetch content from URLs when isUrl parameter is set to true (URLs are always read in full regardless of offset/length). FORMAT HANDLING (by extension): - Text: Uses offset/length for line-based pagination - Excel (.xlsx, .xls, .xlsm): Returns JSON 2D array * sheet: "Sheet1" (name) or "0" (index as string, 0-based) * range: ALWAYS use FROM:TO format (e.g., "A1:D100", "C1:C1", "B2:B50") * offset/length work as row pagination (optional fallback) - Images (PNG, JPEG, GIF, WebP): Base64 encoded viewable content - PDF: Extracts text content as markdown with page structure * offset/length work as page pagination (0-based) * Includes embedded images when available - DOCX (.docx): Two modes depending on parameters: * DEFAULT (no offset/length): Returns a text-bearing outline — shows paragraphs with text, tables with cell content, styles, image refs. Skips shapes/drawings/SVG noise. Each element shows its body index [0], [1], etc. * WITH offset/length: Returns raw pretty-printed XML with line pagination. Use this to drill into specific sections or see the actual XML for editing. * EDITING WORKFLOW: 1) read_file to get outline, 2) read_file with offset/length to see raw XML around what you want to edit, 3) edit_block with old_string/new_string using XML fragments copied from the read output. * IMPORTANT: offset MUST be non-zero to get raw XML (use offset=1 to start from line 1). offset=0 always returns the outline regardless of length. * For BULK changes (translation, mass replacements): use start_process with Python zipfile module to find/replace all <w:t> elements at once. IMPORTANT: Always use absolute paths for reliability. Paths are automatically normalized regardless of slash direction. Relative paths may fail as they depend on the current working directory. Tilde paths (~/...) might not work in all contexts. Unless the user explicitly asks for relative paths, use absolute paths. This command can be referenced as "DC: ..." or "use Desktop Commander to ..." in your instructions.). Arbitrary execution is the maximal authority a tool can hold -- it subsumes every other caveat, so it should never be exposed to an agent without a hard sandbox and an explicit, narrowly-scoped capability.

   fix: Do not expose raw code/shell execution to an agent. If unavoidable, run it in a disposable sandbox with no network + no host FS, gate it behind a capframe-bind capability scoped to an allow-list of commands, and require holder-of-key proof per call.

3. critical
   Tool `list_directory` exposes a code/command execution surface· list_directoryexcessive agency

   `list_directory` looks like it executes code or shell commands ( Get a detailed listing of all files and directories in a specified path. Use this instead of 'execute_command' with ls/dir commands. Results distinguish between files and directories with [FILE] and [DIR] prefixes. Supports recursive listing with the 'depth' parameter (default: 2): - depth=1: Only direct contents of the directory - depth=2: Contents plus one level of subdirectories - depth=3+: Multiple levels deep CONTEXT OVERFLOW PROTECTION: - Top-level directory shows ALL items - Nested directories are limited to 100 items maximum per directory - When a nested directory has more than 100 items, you'll see a warning like: [WARNING] node_modules: 500 items hidden (showing first 100 of 600 total) - This prevents overwhelming the context with large directories like node_modules Results show full relative paths from the root directory being listed. Example output with depth=2: [DIR] src [FILE] src/index.ts [DIR] src/tools [FILE] src/tools/filesystem.ts If a directory cannot be accessed, it will show [DENIED] instead. If a path does not exist, it will show [NOT_FOUND] instead. Only works within allowed directories. IMPORTANT: Always use absolute paths for reliability. Paths are automatically normalized regardless of slash direction. Relative paths may fail as they depend on the current working directory. Tilde paths (~/...) might not work in all contexts. Unless the user explicitly asks for relative paths, use absolute paths. This command can be referenced as "DC: ..." or "use Desktop Commander to ..." in your instructions.). Arbitrary execution is the maximal authority a tool can hold -- it subsumes every other caveat, so it should never be exposed to an agent without a hard sandbox and an explicit, narrowly-scoped capability.

   fix: Do not expose raw code/shell execution to an agent. If unavoidable, run it in a disposable sandbox with no network + no host FS, gate it behind a capframe-bind capability scoped to an allow-list of commands, and require holder-of-key proof per call.

4. critical
   Tool `get_prompts` exposes a code/command execution surface· get_promptsexcessive agency

   `get_prompts` looks like it executes code or shell commands ( Retrieve a specific Desktop Commander onboarding prompt by ID and execute it. SIMPLIFIED ONBOARDING V2: This tool only supports direct prompt retrieval. The onboarding system presents 5 options as a simple numbered list: 1. Organize my Downloads folder (promptId: 'onb2_01') 2. Explain a codebase or repository (promptId: 'onb2_02') 3. Create organized knowledge base (promptId: 'onb2_03') 4. Analyze a data file (promptId: 'onb2_04') 5. Check system health and resources (promptId: 'onb2_05') USAGE: When user says "1", "2", "3", "4", or "5" from onboarding: - "1" → get_prompts(action='get_prompt', promptId='onb2_01') - "2" → get_prompts(action='get_prompt', promptId='onb2_02') - "3" → get_prompts(action='get_prompt', promptId='onb2_03') - "4" → get_prompts(action='get_prompt', promptId='onb2_04') - "5" → get_prompts(action='get_prompt', promptId='onb2_05') The prompt content will be injected and execution begins immediately. This command can be referenced as "DC: ..." or "use Desktop Commander to ..." in your instructions.). Arbitrary execution is the maximal authority a tool can hold -- it subsumes every other caveat, so it should never be exposed to an agent without a hard sandbox and an explicit, narrowly-scoped capability.

   fix: Do not expose raw code/shell execution to an agent. If unavoidable, run it in a disposable sandbox with no network + no host FS, gate it behind a capframe-bind capability scoped to an allow-list of commands, and require holder-of-key proof per call.

5. high
   Tool `set_config_value` name implies a side effect that is not declared· set_config_valueexcessive agency

   `set_config_value` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

   fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

6. high
   Tool `write_file` name implies a side effect that is not declared· write_fileexcessive agency

   `write_file` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

   fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

7. high
   Tool `write_pdf` name implies a side effect that is not declared· write_pdfexcessive agency

   `write_pdf` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

   fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

8. high
   Tool `create_directory` name implies a side effect that is not declared· create_directoryexcessive agency

   `create_directory` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

   fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

9. high
   Tool `edit_block` name implies a side effect that is not declared· edit_blockexcessive agency

   `edit_block` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

   fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

10. medium
    Tool `read_file` accepts unconstrained string input· read_fileunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `path`, `range`, `sheet`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

11. medium
    Tool `write_file` accepts unconstrained string input· write_fileunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `content`, `mode`, `path`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

12. medium
    Tool `create_directory` accepts unconstrained string input· create_directoryunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `path`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

13. medium
    Tool `list_directory` accepts unconstrained string input· list_directoryunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `path`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

14. medium
    Tool `move_file` accepts unconstrained string input· move_fileunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `destination`, `source`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

15. medium
    Tool `start_search` accepts unconstrained string input· start_searchunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `filePattern`, `path`, `pattern`, `searchType`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

16. medium
    Tool `get_more_search_results` accepts unconstrained string input· get_more_search_resultsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `sessionId`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

17. medium
    Tool `stop_search` accepts unconstrained string input· stop_searchunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `sessionId`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

18. medium
    Tool `get_file_info` accepts unconstrained string input· get_file_infounconstrained input

    The following string parameter(s) have no `maxLength` constraint: `path`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

19. medium
    Tool `start_process` accepts unconstrained string input· start_processunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `command`, `shell`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

20. medium
    Tool `interact_with_process` accepts unconstrained string input· interact_with_processunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `input`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

21. medium
    Tool `get_recent_tool_calls` accepts unconstrained string input· get_recent_tool_callsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `since`, `toolName`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

22. medium
    Tool `get_prompts` accepts unconstrained string input· get_promptsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `action`, `promptId`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.