jasondsmith72/tpc-mcpv2
criticalTotal PC Control MCP server - v2 with fixes and compression
MCP server (purpose undetermined)
1// The entire server exposes tools for screen capture, mouse control, keyboard control, clipboard access, and UI automation.
2// No authentication or authorization is implemented.
3// The server is designed to run over stdio but could be exposed to network via transport configuration.// Exploitable if MCP server is exposed to network (e.g., via WebSocket or HTTP transport) or if an attacker can inject prompts into the LLM that uses this server.
The MCP server exposes a comprehensive set of tools that allow complete control over the user's physical device: screen capture, mouse movement and clicks, keyboard input, clipboard read/write, and UI automation via PowerShell. There is no authentication, authorization, or input validation beyond basic type checks. The intended purpose is 'total-pc-control', which inherently includes all these capabilities, but the threat model is 'network_exposed', meaning an attacker who can send prompts to this MCP server can fully control the machine remotely.
ImpactAn attacker with access to this MCP server can capture screen contents, read and write clipboard data, simulate mouse and keyboard input, execute arbitrary keystrokes (including OS-level shortcuts), and use UI automation to interact with any application. This effectively gives the attacker full remote control of the user's computer, enabling data exfiltration, malware installation, credential theft, and other malicious actions.
FixImplement authentication and authorization for all tools. Restrict the server to local-only transport (e.g., stdio) and do not expose it to network. Add user confirmation prompts for sensitive actions (e.g., clipboard read, screen capture). Consider implementing a permission system that limits which tools can be invoked by which clients.
595server.tool(
596 "get_clipboard_text",
597 "Get text from the clipboard",
598 {},
599 async () => {
600 try {
601 const text = await tools.getClipboardText();
602 return {
603 content: [{ type: "text", text: `Clipboard content: ${text}` }],
604 };
605 } catch (error) { ... }
606 }
607);// Exploitable if MCP server is exposed to network or if an attacker can inject prompts into the LLM.
The 'get_clipboard_text' tool reads the contents of the system clipboard and returns them to the caller. The clipboard often contains sensitive information such as passwords, credit card numbers, private keys, or other confidential data. There is no restriction on when or how often this tool can be called, and no user notification that clipboard contents are being accessed.
ImpactAn attacker can exfiltrate any data that the user has copied to the clipboard, including passwords, tokens, financial information, and other sensitive data.
FixRequire explicit user consent before reading clipboard contents. Log clipboard access events. Consider implementing a whitelist of allowed clipboard operations or requiring a confirmation prompt.
715server.tool(
716 "get_clipboard_image",
717 "Get image from the clipboard (if available) as base64 data",
718 {},
719 async () => {
720 try {
721 const base64Image = await tools.getClipboardImage();
722 if (base64Image) {
723 return { content: [{ type: "text", text: `Clipboard image retrieved successfully. Image data: ${base64Image}` }] };
724 } else { ... }
725 } catch (error) { ... }
726 }
727);// Exploitable if MCP server is exposed to network or if an attacker can inject prompts into the LLM.
The 'get_clipboard_image' tool retrieves any image from the clipboard and returns it as base64 data. Images on the clipboard can contain sensitive information such as screenshots of confidential documents, passwords, or personal photos. There is no restriction or user notification.
ImpactAn attacker can exfiltrate any image data that the user has copied to the clipboard, potentially exposing sensitive visual information.
FixRequire explicit user consent before reading clipboard images. Log access events. Consider disabling this tool or making it opt-in.
116server.tool(
117 "move_mouse",
118 "Move the mouse cursor to a specific position",
119 { x: z.number().int().min(0), y: z.number().int().min(0) },
120 async ({ x, y }) => { ... }
121);
122server.tool(
123 "click_mouse",
124 "Click the mouse at the current position",
125 { button: z.enum([...]).optional() },
126 async ({ button }) => { ... }
127);
128server.tool(
129 "drag_mouse",
130 "Drag the mouse from current position to target position",
131 { x: ..., y: ... },
132 async ({ x, y }) => { ... }
133);// Exploitable if MCP server is exposed to network or if an attacker can inject prompts into the LLM.
The mouse control tools allow moving the cursor, clicking, double-clicking, scrolling, and dragging. This enables an attacker to interact with any UI element on the screen, potentially clicking on buttons, opening files, or navigating through applications. Combined with screen capture, this provides full GUI automation capability.
ImpactAn attacker can perform any action a user can with a mouse, such as opening files, clicking on dialog boxes, interacting with web pages, and potentially bypassing security prompts by clicking 'Yes' or 'Allow'.
FixImplement rate limiting and user confirmation for mouse actions. Consider restricting mouse movements to a specific application or area. Log all mouse actions for audit.
17server.tool(
18 "capture_screen",
19 "Capture the entire screen as an image",
20 { format: ..., quality: ... },
21 async ({ format, quality }) => {
22 try {
23 const imageBase64 = await tools.captureScreen(format, quality);
24 return { content: [{ type: "text", text: `Screen captured successfully. ${imageBase64}` }] };
25 } catch (error) { ... }
26 }
27);
28server.tool(
29 "capture_region",
30 "Capture a specific region of the screen",
31 { left: ..., top: ..., width: ..., height: ..., format: ..., quality: ... },
32 async ({ left, top, width, height, format, quality }) => { ... }
33);// Exploitable if MCP server is exposed to network or if an attacker can inject prompts into the LLM.
The screen capture tools allow capturing the entire screen or a specific region without any user notification or consent. This enables an attacker to spy on the user's activities, capture sensitive information displayed on screen (e.g., emails, documents, passwords), and exfiltrate it as base64 images.
ImpactAn attacker can continuously monitor the user's screen, capturing sensitive information such as login credentials, personal messages, financial data, and confidential documents.
FixRequire explicit user consent before capturing screen. Display a visual indicator when screen capture is active. Limit capture frequency or require confirmation for each capture.
407server.tool(
408 "type_text",
409 "Type text at the current cursor position",
410 { text: z.string().min(1).describe("The text to type") },
411 async ({ text }) => { ... }
412);
413server.tool(
414 "press_key",
415 "Press a keyboard key",
416 { key: z.nativeEnum(Key).describe("The key to press") },
417 async ({ key }) => { ... }
418);
419server.tool(
420 "press_key_shortcut",
421 "Press a keyboard shortcut (combination of keys)",
422 { keys: z.array(z.nativeEnum(Key)).min(1).max(5) },
423 async ({ keys }) => { ... }
424);// Exploitable if MCP server is exposed to network or if an attacker can inject prompts into the LLM.
The keyboard tools allow typing arbitrary text, pressing individual keys, and executing key combinations (shortcuts). This can be used to simulate user input, open applications, execute commands (e.g., Win+R, Ctrl+Alt+Del), and interact with any running software. There is no restriction on what can be typed or which shortcuts can be pressed.
ImpactAn attacker can execute arbitrary commands on the system by simulating keyboard shortcuts (e.g., Win+R to open Run dialog, then type a command). They can also type into any focused text field, potentially injecting malicious input into applications.
FixRestrict keyboard input to specific allowed keys or patterns. Implement a whitelist of allowed shortcuts. Require user confirmation for potentially dangerous shortcuts (e.g., those involving the Windows key).
// Source file not analyzed: src/index.ts
// Finding inferred from import chain: src/index.ts:7 → src/tools/index.js (unavailable)
// Exploitable if MCP server is exposed to network or if an attacker can inject prompts into the LLM.
The UI Automation tools (getUiElementInfo and invokeUiElementAction) execute PowerShell scripts to interact with .NET UI Automation. The tool inputs (windowTitle, elementName, automationId, className, valueToSet) are passed to PowerShell scripts. If these inputs are not properly sanitized before being incorporated into PowerShell commands, an attacker could inject arbitrary PowerShell code. The comment explicitly states these tools execute PowerShell scripts, and the input validation only checks for string type and minimum length, not for malicious content.
ImpactAn attacker could inject PowerShell commands to execute arbitrary code on the host system, potentially leading to full system compromise, data exfiltration, or malware installation.
FixSanitize all inputs before passing them to PowerShell scripts. Use parameterized commands or secure APIs instead of string concatenation. Consider using a safer approach like invoking .NET UI Automation directly from Node.js without PowerShell.