[Security Audit] AgentWard Permission Analysis — Windows Desktop Automation MCP #100
Description
Hey — I reviewed Windows-MCP's permission surface. I see you've been transparent about the risks in SECURITY.md, which I appreciate. These findings are meant to help prioritize hardening for a tool with 2M+ users.
TL;DR
17 tools give an agent full desktop control — PowerShell execution, unrestricted filesystem access, registry manipulation, GUI automation, clipboard access, and process termination. Zero runtime permission boundaries exist. Everything runs with the full privileges of the user.
Top Findings
1. Unrestricted PowerShell execution (CRITICAL)
The PowerShell tool passes any command to subprocess.run() with no filtering or allowlisting. An agent can run Remove-Item C:\ -Recurse -Force, disable Windows Defender, create admin accounts, or exfiltrate data — all in a single call.
2. Unrestricted filesystem access (CRITICAL)
The FileSystem tool supports read/write/delete on any path. Absolute paths access anywhere on the system. delete_path with recursive=True runs shutil.rmtree() with no confirmation. An agent can read .ssh/id_rsa, browser password databases, or any sensitive file.
3. Registry manipulation (CRITICAL)
The Registry tool provides full CRUD access to any registry key including HKLM. An agent can install persistence via Run keys, disable security features, or destabilize the system by deleting critical keys.
4. Full-desktop screenshots (HIGH)
Snapshot with use_vision=True captures the entire desktop — including password fields, banking dashboards, medical records, and private messages. Multi-monitor support captures all displays.
5. PostHog telemetry default-on (MEDIUM)
Telemetry is enabled by default with a hardcoded API key. Persistent user ID survives reboots. Consider making this opt-in.
Suggestions
- PowerShell allowlist/blocklist — at minimum block known-dangerous cmdlets
- Filesystem path restrictions — configurable directory allowlist, default to Desktop/Documents
- Registry path restrictions — block security-sensitive paths by default
- Approval gate for destructive operations (file delete, registry write, process kill)
- Telemetry opt-in — change default to disabled
I know this is a power-user tool by design. These suggestions are about adding opt-in guardrails for the 2M users who may not be running it in a VM.
Found using AgentWard — open-source permission control plane for AI agents.