-
-
Notifications
You must be signed in to change notification settings - Fork 737
Add security.md and update readme/faq with some up to date security info #220
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||
|---|---|---|---|---|---|---|---|---|
|
|
@@ -372,22 +372,30 @@ We welcome feedback from users who try Desktop Commander with other MCP clients | |||||||
|
|
||||||||
| ## Security & Permissions | ||||||||
|
|
||||||||
| > **Important**: For current security limitations and vulnerability reporting, see our [Security Policy](SECURITY.md). | ||||||||
|
|
||||||||
| ### Is it safe to give Claude access to my file system? | ||||||||
|
|
||||||||
| Claude Desktop Commander operates within certain safety boundaries: | ||||||||
| Claude Desktop Commander has known security limitations: | ||||||||
|
|
||||||||
| - While file restrictions are currently disabled, Claude typically only works with files in folders you specifically direct it to | ||||||||
| - Directory restrictions can be bypassed via symlinks and terminal commands | ||||||||
| - Command blocking can be bypassed via command substitution and absolute paths | ||||||||
| - Claude can only perform actions that your user account has permission to do | ||||||||
| - No data is sent to external servers beyond what you share in Claude conversations | ||||||||
|
|
||||||||
| > **Note:** Command blocking features are still in development. You should always review the actions Claude proposes before allowing it to make system changes, especially when working with important files or system configurations. | ||||||||
| > **For production use requiring security**: Use the [Docker installation](#option-6-docker-installation-🐳-⭐-auto-updates-no-nodejs-required) with selective folder mounting for complete isolation from your host system. | ||||||||
|
|
||||||||
| ### Can I control which directories Claude can access? | ||||||||
|
|
||||||||
| Recent updates have removed path limitations, and work is in progress to add configuration options that will allow you to specify which directories the tool can access. This feature is being developed in [PR #16](https://github.com/wonderwhy-er/ClaudeDesktopCommander/pull/16). | ||||||||
| Directory access controls exist but have known bypass vulnerabilities. For secure usage, we recommend the Docker installation which provides complete isolation with controlled folder mounting. | ||||||||
|
|
||||||||
| ### What commands are blocked by default? | ||||||||
|
|
||||||||
| Command blocking exists but can be bypassed through various methods. The current system blocks dangerous commands like `rm`, `sudo`, `format`, etc., but these restrictions can be circumvented. | ||||||||
|
|
||||||||
| ### How do I report security vulnerabilities? | ||||||||
|
|
||||||||
| Please create a [GitHub Issue](https://github.com/wonderwhy-er/DesktopCommanderMCP/issues) with detailed information about any security vulnerabilities you discover. See our [Security Policy](SECURITY.md) for full guidelines. | ||||||||
|
|
||||||||
|
Comment on lines
+396
to
+398
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Align vulnerability reporting with private disclosure Switch to GitHub’s private reporting. -Please create a [GitHub Issue](https://github.com/wonderwhy-er/DesktopCommanderMCP/issues) with detailed information about any security vulnerabilities you discover. See our [Security Policy](SECURITY.md) for full guidelines.
+Please use GitHub's "Report a vulnerability" in the repository Security tab to submit a private advisory with detailed information. See our [Security Policy](SECURITY.md) for full guidelines.📝 Committable suggestion
Suggested change
🤖 Prompt for AI Agents |
||||||||
| Claude Desktop Commander doesn't have a pre-defined blocklist, but you can use the `block_command` and `unblock_command` functions to manage which commands Claude can execute. It's recommended to block commands that could potentially be destructive, such as `rm -rf` or `format`. | ||||||||
|
|
||||||||
| ### Why is the fileWriteLineLimit set to 50 by default? What is the maximum value? | ||||||||
|
|
||||||||
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -565,9 +565,15 @@ For commands that may take a while: | |||||||||
|
|
||||||||||
| ### ⚠️ Important Security Warnings | ||||||||||
|
|
||||||||||
| 1. **Always change configuration in a separate chat window** from where you're doing your actual work. Claude may sometimes attempt to modify configuration settings (like `allowedDirectories`) if it encounters filesystem access restrictions. | ||||||||||
| > **For comprehensive security information and vulnerability reporting**: See [SECURITY.md](SECURITY.md) | ||||||||||
|
|
||||||||||
| 2. **The `allowedDirectories` setting currently only restricts filesystem operations**, not terminal commands. Terminal commands can still access files outside allowed directories. Full terminal sandboxing is on the roadmap. | ||||||||||
| 1. **Known security limitations**: Directory restrictions and command blocking can be bypassed through various methods including symlinks, command substitution, and absolute paths or code execution | ||||||||||
|
|
||||||||||
| 2. **Always change configuration in a separate chat window** from where you're doing your actual work. Claude may sometimes attempt to modify configuration settings (like `allowedDirectories`) if it encounters filesystem access restrictions. | ||||||||||
|
|
||||||||||
| 3. **The `allowedDirectories` setting currently only restricts filesystem operations**, not terminal commands. Terminal commands can still access files outside allowed directories. | ||||||||||
|
|
||||||||||
| 4. **For production security**: Use the [Docker installation](#option-6-docker-installation-🐳-⭐-auto-updates-no-nodejs-required) which provides complete isolation from your host system. | ||||||||||
|
Comment on lines
+568
to
+576
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fix invalid self-link anchor and soften isolation language
-4. **For production security**: Use the [Docker installation](#option-6-docker-installation-🐳-⭐-auto-updates-no-nodejs-required) which provides complete isolation from your host system.
+4. **For production security**: Use the [Docker installation](#docker-installation) for a strong isolation boundary. Mount only the folders you need (prefer read-only binds) to limit host exposure.Add a stable anchor right before the “Option 6” heading (outside this hunk): <a id="docker-installation"></a>🧰 Tools🪛 LanguageTool[grammar] ~576-~576: There might be a mistake here. (QB_NEW_EN) 🪛 markdownlint-cli2 (0.17.2)576-576: Link fragments should be valid (MD051, link-fragments) 🤖 Prompt for AI Agents💡 Verification agent 🧩 Analysis chainVerify anchor fixes repo-wide Run this to ensure the new anchor exists and no emoji-based fragments remain: 🏁 Script executed: #!/bin/bash
set -euo pipefail
echo "Check that explicit Docker anchor exists in README:"
rg -n 'id="docker-installation"' README.md || { echo "Missing explicit anchor id"; exit 1; }
echo "Ensure no outdated emoji fragment links remain:"
if rg -n 'option-6-docker-installation' SECURITY.md README.md FAQ.md; then
echo "Found outdated fragments above; replace them with '#docker-installation' or 'README.md#docker-installation'"
exit 1
else
echo "No outdated fragments found."
fi
echo "References to README.md#docker-installation:"
rg -n 'README\.md#docker-installation' SECURITY.md FAQ.md README.md || trueLength of output: 249 Add explicit Docker installation anchor and replace outdated fragment links The verification script confirmed that README.md is missing the required
These changes are required to restore correct navigation and ensure the new anchor functions as intended. 🧰 Tools🪛 LanguageTool[grammar] ~576-~576: There might be a mistake here. (QB_NEW_EN) 🪛 markdownlint-cli2 (0.17.2)576-576: Link fragments should be valid (MD051, link-fragments) 🤖 Prompt for AI Agents |
||||||||||
|
|
||||||||||
| ### Configuration Tools | ||||||||||
|
|
||||||||||
|
|
@@ -854,6 +860,9 @@ Yes, when installed through npx or Smithery, Desktop Commander automatically upd | |||||||||
| ### I'm having trouble installing or using the tool. Where can I get help? | ||||||||||
| Join our [Discord server](https://discord.gg/kQ27sNnZr7) for community support, check the [GitHub issues](https://github.com/wonderwhy-er/DesktopCommanderMCP/issues) for known problems, or review the [full FAQ](FAQ.md) for troubleshooting tips. You can also visit our [website FAQ section](https://desktopcommander.app#faq) for a more user-friendly experience. If you encounter a new issue, please consider [opening a GitHub issue](https://github.com/wonderwhy-er/DesktopCommanderMCP/issues/new) with details about your problem. | ||||||||||
|
|
||||||||||
| ### How do I report security vulnerabilities? | ||||||||||
| Please create a [GitHub Issue](https://github.com/wonderwhy-er/DesktopCommanderMCP/issues) with detailed information about any security vulnerabilities you discover. See our [Security Policy](SECURITY.md) for complete guidelines on responsible disclosure. | ||||||||||
|
|
||||||||||
|
Comment on lines
+863
to
+865
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Align vulnerability reporting with private disclosure Route users to GitHub’s private advisory flow rather than public issues. -Please create a [GitHub Issue](https://github.com/wonderwhy-er/DesktopCommanderMCP/issues) with detailed information about any security vulnerabilities you discover. See our [Security Policy](SECURITY.md) for complete guidelines on responsible disclosure.
+Please use GitHub's "Report a vulnerability" flow (Security tab) to submit a private advisory with detailed information. See our [Security Policy](SECURITY.md) for complete guidelines on responsible disclosure.📝 Committable suggestion
Suggested change
🤖 Prompt for AI Agents |
||||||||||
| ## Data Collection & Privacy | ||||||||||
|
|
||||||||||
| Desktop Commander collects limited anonymous telemetry data to help improve the tool. No personal information, file contents, file paths, or command arguments are collected. | ||||||||||
|
|
||||||||||
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,40 @@ | ||||||||||||||||||||||||||
| # Security Policy | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| ## Current Security Approach | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| Desktop Commander is designed for human users working with AI assistants like Claude. The security restrictions built into the tool are primarily **guardrails to help the AI model** avoid actions the user didn't intend, rather than hardened security boundaries. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| **Security is not currently our top priority** - we haven't heard significant demand from users for stronger security controls. We take **user needs seriously**, so if you need better security controls for your specific use case, please contact the team to discuss your requirements. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| **For users who need security**: We recommend using Desktop Commander with Docker, which provides complete isolation. See the [Docker installation section](README.md#option-6-docker-installation-🐳-⭐-auto-updates-no-nodejs-required) in our README for setup instructions. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
|
Comment on lines
+5
to
+10
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Avoid absolute “complete isolation” claim and fix invalid README anchor fragment
Apply: -**For users who need security**: We recommend using Desktop Commander with Docker, which provides complete isolation. See the [Docker installation section](README.md#option-6-docker-installation-🐳-⭐-auto-updates-no-nodejs-required) in our README for setup instructions.
+**For users who need security**: We recommend running Desktop Commander in Docker, which provides a strong isolation boundary when used with selective folder mounts. Avoid mounting broad host paths and prefer read-only binds (e.g., `-v /path:/mnt/path:ro`) where possible. See the [Docker installation section](README.md#docker-installation) in our README for setup instructions.📝 Committable suggestion
Suggested change
🧰 Tools🪛 LanguageTool[grammar] ~9-~9: There might be a mistake here. (QB_NEW_EN) 🤖 Prompt for AI Agents |
||||||||||||||||||||||||||
| ## Reporting Vulnerabilities | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| 1. **Create a GitHub Issue** with detailed information | ||||||||||||||||||||||||||
| 2. **Label it as security-related** for visibility | ||||||||||||||||||||||||||
| 3. **Include technical details** and proof of concept if possible | ||||||||||||||||||||||||||
| 4. **Request attribution** if you'd like to be credited in any future advisories | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| We will acknowledge reports and provide context as needed. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
|
Comment on lines
+13
to
+19
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Use private vulnerability reporting (GitHub Security tab) instead of public issues Public GitHub Issues for vulns risk 0‑day exposure. Prefer GitHub’s private “Report a vulnerability” workflow. -1. **Create a GitHub Issue** with detailed information
-2. **Label it as security-related** for visibility
-3. **Include technical details** and proof of concept if possible
-4. **Request attribution** if you'd like to be credited in any future advisories
-
-We will acknowledge reports and provide context as needed.
+1. **Use GitHub's "Report a vulnerability"** (Security tab) to submit a private advisory
+2. **Include technical details** and a proof of concept if possible
+3. **State desired attribution** if you'd like to be credited in any future advisories
+4. If private reporting is unavailable, contact us on Discord to coordinate a secure channel before disclosure
+
+We will acknowledge reports within 7 days and provide context as needed.📝 Committable suggestion
Suggested change
🤖 Prompt for AI Agents |
||||||||||||||||||||||||||
| ## Current Security Limitations | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| This project has known security limitations: | ||||||||||||||||||||||||||
| - Directory restrictions can be bypassed via symlinks and terminal commands | ||||||||||||||||||||||||||
| - Command blocking can be bypassed via substitution and absolute paths | ||||||||||||||||||||||||||
| - Terminal commands can access files outside `allowedDirectories` restrictions | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| **For production use requiring security**: Use Docker installation with selective folder mounting for complete isolation. See [Docker installation instructions](README.md#option-6-docker-installation-🐳-⭐-auto-updates-no-nodejs-required) for setup details. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
|
Comment on lines
+27
to
+28
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Repeat: soften “complete isolation” and fix README link fragment Mirror the earlier phrasing, and switch to the stable anchor. -**For production use requiring security**: Use Docker installation with selective folder mounting for complete isolation. See [Docker installation instructions](README.md#option-6-docker-installation-🐳-⭐-auto-updates-no-nodejs-required) for setup details.
+**For production use requiring security**: Use the Docker installation with selective folder mounting for a strong isolation boundary. See [Docker installation instructions](README.md#docker-installation) for setup details.📝 Committable suggestion
Suggested change
🧰 Tools🪛 LanguageTool[grammar] ~27-~27: There might be a mistake here. (QB_NEW_EN) 🤖 Prompt for AI Agents |
||||||||||||||||||||||||||
| ## Disclosure Timeline | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| As a startup focused on user needs rather than theoretical security concerns, we prioritize issues based on actual user demand. We may not respond immediately to security reports but will address issues that affect real user workflows. We appreciate responsible disclosure and will work with researchers when addressing vulnerabilities aligns with user priorities. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| ## Contact | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| - **GitHub Issues**: https://github.com/wonderwhy-er/DesktopCommanderMCP/issues | ||||||||||||||||||||||||||
| - **Discord Community**: https://discord.gg/kQ27sNnZr7 | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| --- | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| *Last updated: January 2025* | ||||||||||||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix broken in-page link (points to FAQ instead of README) and soften isolation claim
The link currently points to a non-existent anchor within FAQ and uses an emoji fragment. Point to README’s stable anchor and avoid “complete isolation”.
📝 Committable suggestion
🧰 Tools
🪛 LanguageTool
[grammar] ~385-~385: There might be a mistake here.
Context: ...omplete isolation from your host system. ### Can I control which directories Claude ca...
(QB_NEW_EN)
🤖 Prompt for AI Agents