FreeCAD MCP

Security checks across malware telemetry and agentic risk

Overview

This FreeCAD skill is a coherent CAD automation integration, but it gives connected agents unscoped Python code execution and broad document control without clear safety gates.

Install only if you trust both the package and every agent/client connected to it. Use it on copies of important CAD files, keep the RPC server bound to localhost, stop it when not in use, and avoid exposing execute_code to untrusted or autonomous agents.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

exec() call detected

High

Category: Dangerous Code Execution
Content: def task(): try: with contextlib.redirect_stdout(output_buffer): exec(code, globals()) FreeCAD.Console.PrintMessage("Python code executed successfully.\n") return True except Exception as e:
Confidence: 99% confidence
Finding: exec(code, globals())

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: try: if obj.type == "Fem::FemMeshGmsh" and obj.analysis: from femmesh.gmshtools import GmshTools res = getattr(doc, obj.analysis).addObject(ObjectsFem.makeMeshGmsh(doc, obj.name))[0] if "Part" in obj.properties: target_obj = doc.getObject(obj.properties["Part"]) if target_obj:
Confidence: 80% confidence
Finding: res = getattr(doc, obj.analysis).addObject(ObjectsFem.makeMeshGmsh(doc, obj.name))[0]

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: else: raise ValueError(f"No creation method '{method_name}' found in ObjectsFem.") if obj.type != "Fem::AnalysisPython" and obj.analysis: getattr(doc, obj.analysis).addObject(res) else: res = doc.addObject(obj.type, obj.name) set_object_property(doc, res, obj.properties)
Confidence: 80% confidence
Finding: getattr(doc, obj.analysis).addObject(res)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill exposes an RPC endpoint whose purpose is arbitrary Python execution, which is unrelated to a narrowly scoped CAD manipulation API and dramatically expands the trust boundary. Because this server is network-accessible, the feature turns FreeCAD into a remote code execution service for any reachable client.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill exposes an MCP tool that forwards arbitrary Python code directly to FreeCAD for execution with no restriction, sandboxing, or capability checks. In practice this grants a caller code execution in the FreeCAD process context, which can be used to access files, spawn commands, make network requests, or alter the host environment well beyond normal CAD operations.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The README explicitly advertises an `execute_code` tool that can run arbitrary Python inside FreeCAD, but it provides no warning about the security implications, trust boundaries, or safe-use constraints. In an MCP/agent context, this is especially dangerous because a user may connect the server to an LLM client and unknowingly grant the model a path to execute arbitrary local code, access files, or modify the host environment through FreeCAD's Python runtime.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The RPC server executes arbitrary Python code immediately after receipt, with no user confirmation, consent prompt, or warning despite the action being equivalent to full code execution on the host. In this context, lack of confirmation makes exploitation trivial once the server is reachable and removes any human checkpoint that might stop malicious or accidental abuse.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Starting `SimpleXMLRPCServer` creates a network-accessible remote control interface for document creation, editing, deletion, screenshot capture, library insertion, and arbitrary code execution, yet there is no authentication, transport protection, or warning about exposure. Even though the default host is `localhost`, the function accepts a caller-provided host and the design assumes trusted local access, which is unsafe for a high-impact control API.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: serialize_object() includes Document.FileName and recursively emits all document objects, which can disclose local filesystem paths and model metadata to RPC clients. In an RPC server context this increases sensitivity because remote consumers may receive host-environment information without any minimization, consent, or access control shown here.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The loop over obj.PropertiesList serializes every property value wholesale, which can expose sensitive or internal data embedded in FreeCAD object properties, including paths, identifiers, annotations, or plugin-defined values. Because this runs inside an RPC serialization layer, the skill context makes the issue more dangerous: it turns broad local object introspection into remote data exposure.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The execute_code tool advertises arbitrary Python execution as a normal capability and its docstring does not clearly warn that this is equivalent to remote code execution in the FreeCAD environment. That omission increases the chance that agents or users invoke it casually, despite the tool enabling actions outside the expected scope of FreeCAD modeling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal