
Research
Malicious npm Packages Impersonate Flashbots SDKs, Targeting Ethereum Wallet Credentials
Four npm packages disguised as cryptographic tools steal developer credentials and send them to attacker-controlled Telegram infrastructure.
@wonderwhy-er/desktop-commander
Advanced tools
Work with code and text, run processes, and automate tasks, going far beyond other AI editors - without API token costs.
All of your AI development tools in one place. Desktop Commander puts all dev tools in one chat. Execute long-running terminal commands on your computer and manage processes through Model Context Protocol (MCP). Built on top of MCP Filesystem Server to provide additional search and replace file editing capabilities.
Desktop Commander offers multiple installation methods to fit different user needs and technical requirements.
📋 Update & Uninstall Information: Before choosing an installation option, note that only Options 1, 2, 3, and 6 have automatic updates. Options 4 and 5 require manual updates. See the sections below for update and uninstall instructions for each option.
Just run this in terminal:
npx @wonderwhy-er/desktop-commander@latest setup
For debugging mode (allows Node.js inspector connection):
npx @wonderwhy-er/desktop-commander@latest setup --debug
Restart Claude if running.
✅ Auto-Updates: Yes - automatically updates when you restart Claude
🔄 Manual Update: Run the setup command again
🗑️ Uninstall: Run npx @wonderwhy-er/desktop-commander@latest remove
For macOS users, you can use our automated bash installer which will check your Node.js version, install it if needed, and automatically configure Desktop Commander:
curl -fsSL https://raw.githubusercontent.com/wonderwhy-er/DesktopCommanderMCP/refs/heads/main/install.sh | bash
This script handles all dependencies and configuration automatically for a seamless setup experience.
✅ Auto-Updates: Yes - requires manual updates
🔄 Manual Update: Re-run the bash installer command above
🗑️ Uninstall: Run npx @wonderwhy-er/desktop-commander@latest remove
To install Desktop Commander for Claude Desktop via Smithery:
The old command-line installation method is no longer supported. Please use the web interface above for the most reliable installation experience.
✅ Auto-Updates: Yes - automatically updates when you restart Claude
🔄 Manual Update: Visit the Smithery page and reinstall
Add this entry to your claude_desktop_config.json:
~/Library/Application\ Support/Claude/claude_desktop_config.json
%APPDATA%\Claude\claude_desktop_config.json
~/.config/Claude/claude_desktop_config.json
{
"mcpServers": {
"desktop-commander": {
"command": "npx",
"args": [
"-y",
"@wonderwhy-er/desktop-commander@latest"
]
}
}
}
Restart Claude if running.
✅ Auto-Updates: Yes - automatically updates when you restart Claude
🔄 Manual Update: Run the setup command again
🗑️ Uninstall: Run npx @wonderwhy-er/desktop-commander@latest remove
or remove the "desktop-commander" entry from your claude_desktop_config.json file
git clone https://github.com/wonderwhy-er/DesktopCommanderMCP.git
cd DesktopCommanderMCP
npm run setup
Restart Claude if running.
The setup command will:
❌ Auto-Updates: No - requires manual git updates
🔄 Manual Update: cd DesktopCommanderMCP && git pull && npm run setup
🗑️ Uninstall: Run npx @wonderwhy-er/desktop-commander@latest remove
or remove the cloned directory and remove MCP server entry from Claude config
Perfect for users who want complete or partial isolation or don't have Node.js installed. Desktop Commander runs in a sandboxed Docker container with a persistent work environment.
Important: Make sure Docker Desktop is fully started before running the installer.
macOS/Linux:
bash <(curl -fsSL https://raw.githubusercontent.com/wonderwhy-er/DesktopCommanderMCP/refs/heads/main/install-docker.sh)
Windows PowerShell:
# Download and run the installer (one-liner)
iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/wonderwhy-er/DesktopCommanderMCP/refs/heads/main/install-docker.ps1'))
The automated installer will:
Desktop Commander creates a persistent work environment that remembers everything between sessions:
Think of it like having your own dedicated development computer that never loses your setup, but runs safely isolated from your main system.
If you prefer manual setup, add this to your claude_desktop_config.json:
Basic setup (no file access):
{
"mcpServers": {
"desktop-commander-in-docker": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"mcp/desktop-commander:latest"
]
}
}
}
With folder mounting:
{
"mcpServers": {
"desktop-commander-in-docker": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-v", "/Users/username/Desktop:/mnt/desktop",
"-v", "/Users/username/Documents:/mnt/documents",
"mcp/desktop-commander:latest"
]
}
}
}
Advanced folder mounting:
{
"mcpServers": {
"desktop-commander-in-docker": {
"command": "docker",
"args": [
"run", "-i", "--rm",
"-v", "dc-system:/usr",
"-v", "dc-home:/root",
"-v", "dc-workspace:/workspace",
"-v", "dc-packages:/var",
"-v", "/Users/username/Projects:/mnt/Projects",
"-v", "/Users/username/Downloads:/mnt/Downloads",
"mcp/desktop-commander:latest"
]
}
}
}
✅ Controlled Isolation: Runs in sandboxed environment with persistent development state ✅ No Node.js Required: Everything included in the container ✅ Cross-Platform: Same experience on all operating systems ✅ Persistent Environment: Your tools, files, configs, and work survives restarts
✅ Auto-Updates: Yes - latest
tag automatically gets newer versions
🔄 Manual Update: docker pull mcp/desktop-commander:latest
then restart Claude
macOS/Linux:
Check installation status:
bash <(curl -fsSL https://raw.githubusercontent.com/wonderwhy-er/DesktopCommanderMCP/refs/heads/main/install-docker.sh) --status
Reset all persistent data (removes all installed tools and configs):
bash <(curl -fsSL https://raw.githubusercontent.com/wonderwhy-er/DesktopCommanderMCP/refs/heads/main/install-docker.sh) --reset
Windows PowerShell:
Check status:
$script = (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/wonderwhy-er/DesktopCommanderMCP/refs/heads/main/install-docker.ps1'); & ([ScriptBlock]::Create("$script")) -Status
Reset all data:
$script = (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/wonderwhy-er/DesktopCommanderMCP/refs/heads/main/install-docker.ps1'); & ([ScriptBlock]::Create("$script")) -Reset
Show help:
$script = (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/wonderwhy-er/DesktopCommanderMCP/refs/heads/main/install-docker.ps1'); & ([ScriptBlock]::Create("$script")) -Help
Verbose output:
$script = (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/wonderwhy-er/DesktopCommanderMCP/refs/heads/main/install-docker.ps1'); & ([ScriptBlock]::Create("$script")) -VerboseOutput
If you broke the Docker container or need a fresh start:
# Reset and reinstall from scratch
bash <(curl -fsSL https://raw.githubusercontent.com/wonderwhy-er/DesktopCommanderMCP/refs/heads/main/install-docker.sh) --reset && bash <(curl -fsSL https://raw.githubusercontent.com/wonderwhy-er/DesktopCommanderMCP/refs/heads/main/install-docker.sh)
This will completely reset your persistent environment and reinstall everything fresh with exception of not touching mounted folders
Options 1 (npx), Option 2 (bash installer), 3 (Smithery), 4 (manual config), and 6 (Docker) automatically update to the latest version whenever you restart Claude. No manual intervention needed.
cd DesktopCommanderMCP && git pull && npm run setup
The easiest way to completely remove Desktop Commander:
npx @wonderwhy-er/desktop-commander@latest remove
This automatic uninstaller will:
If the automatic uninstaller doesn't work or you prefer manual removal:
~/Library/Application Support/Claude/claude_desktop_config.json
%APPDATA%\Claude\claude_desktop_config.json
~/.config/Claude/claude_desktop_config.json
"desktop-commander"
entry from the "mcpServers"
sectionExample - Remove this section:
{
"desktop-commander": {
"command": "npx",
"args": ["@wonderwhy-er/desktop-commander@latest"]
}
}
Close and restart Claude Desktop to complete the removal.
If automatic uninstallation fails:
If Claude won't start after uninstalling:
Need help?
The server provides a comprehensive set of tools organized into several categories:
Category | Tool | Description |
---|---|---|
Configuration | get_config | Get the complete server configuration as JSON (includes blockedCommands, defaultShell, allowedDirectories, fileReadLineLimit, fileWriteLineLimit, telemetryEnabled) |
set_config_value | Set a specific configuration value by key. Available settings: • blockedCommands : Array of shell commands that cannot be executed• defaultShell : Shell to use for commands (e.g., bash, zsh, powershell)• allowedDirectories : Array of filesystem paths the server can access for file operations (⚠️ terminal commands can still access files outside these directories)• fileReadLineLimit : Maximum lines to read at once (default: 1000)• fileWriteLineLimit : Maximum lines to write at once (default: 50)• telemetryEnabled : Enable/disable telemetry (boolean) | |
Terminal | start_process | Start programs with smart detection of when they're ready for input |
interact_with_process | Send commands to running programs and get responses | |
read_process_output | Read output from running processes | |
force_terminate | Force terminate a running terminal session | |
list_sessions | List all active terminal sessions | |
list_processes | List all running processes with detailed information | |
kill_process | Terminate a running process by PID | |
Filesystem | read_file | Read contents from local filesystem or URLs with line-based pagination (supports positive/negative offset and length parameters) |
read_multiple_files | Read multiple files simultaneously | |
write_file | Write file contents with options for rewrite or append mode (uses configurable line limits) | |
create_directory | Create a new directory or ensure it exists | |
list_directory | Get detailed listing of files and directories | |
move_file | Move or rename files and directories | |
start_search | Start streaming search for files by name or content patterns (unified ripgrep-based search) | |
get_more_search_results | Get paginated results from active search with offset support | |
stop_search | Stop an active search gracefully | |
list_searches | List all active search sessions | |
get_file_info | Retrieve detailed metadata about a file or directory | |
Text Editing | edit_block | Apply targeted text replacements with enhanced prompting for smaller edits (includes character-level diff feedback) |
Analytics | get_usage_stats | Get usage statistics for your own insight |
give_feedback_to_desktop_commander | Open feedback form in browser to provide feedback to Desktop Commander Team |
Data Analysis:
"Analyze sales.csv and show top customers" → Claude runs Python code in memory
Remote Access:
"SSH to my server and check disk space" → Claude maintains SSH session
Development:
"Start Node.js and test this API" → Claude runs interactive Node session
Search/Replace Block Format:
filepath.ext
<<<<<<< SEARCH
content to find
=======
new content
>>>>>>> REPLACE
Example:
src/main.js
<<<<<<< SEARCH
console.log("old message");
=======
console.log("new message");
>>>>>>> REPLACE
The edit_block
tool includes several enhancements for better reliability:
{-removed-}{+added+}
formatexpected_replacements
parameterWhen a search fails, you'll see detailed information about the closest match found, including similarity percentage, execution time, and character differences. All these details are automatically logged for later analysis using the fuzzy search log tools.
Desktop Commander can be run in Docker containers for complete isolation from your host system, providing zero risk to your computer. This is perfect for testing, development, or when you want complete sandboxing.
Install Docker for Windows/Mac
Get Desktop Commander Docker Configuration
Mount Your Machine Folders (Coming Soon)
read_file
can now fetch content from both local files and URLsread_file
with isUrl: true
parameter to read from web resourcesThe fuzzy search logging system includes convenient npm scripts for analyzing logs outside of the MCP environment:
# View recent fuzzy search logs
npm run logs:view -- --count 20
# Analyze patterns and performance
npm run logs:analyze -- --threshold 0.8
# Export logs to CSV or JSON
npm run logs:export -- --format json --output analysis.json
# Clear all logs (with confirmation)
npm run logs:clear
For detailed documentation on these scripts, see scripts/README.md.
Desktop Commander includes comprehensive logging for fuzzy search operations in the edit_block
tool. When an exact match isn't found, the system performs a fuzzy search and logs detailed information for analysis.
Every fuzzy search operation logs:
Logs are automatically saved to:
~/.claude-server-commander-logs/fuzzy-search.log
%USERPROFILE%\.claude-server-commander-logs\fuzzy-search.log
The fuzzy search logs help you understand:
Desktop Commander now includes comprehensive logging for all tool calls:
Logs are saved to:
~/.claude-server-commander/claude_tool_call.log
%USERPROFILE%\.claude-server-commander\claude_tool_call.log
This audit trail helps with debugging, security monitoring, and understanding how Claude is interacting with your system.
For commands that may take a while:
For comprehensive security information and vulnerability reporting: See SECURITY.md
Known security limitations: Directory restrictions and command blocking can be bypassed through various methods including symlinks, command substitution, and absolute paths or code execution
Always change configuration in a separate chat window from where you're doing your actual work. Claude may sometimes attempt to modify configuration settings (like allowedDirectories
) if it encounters filesystem access restrictions.
The allowedDirectories
setting currently only restricts filesystem operations, not terminal commands. Terminal commands can still access files outside allowed directories.
For production security: Use the Docker installation which provides complete isolation from your host system.
You can manage server configuration using the provided tools:
// Get the entire config
get_config({})
// Set a specific config value
set_config_value({ "key": "defaultShell", "value": "/bin/zsh" })
// Set multiple config values using separate calls
set_config_value({ "key": "defaultShell", "value": "/bin/bash" })
set_config_value({ "key": "allowedDirectories", "value": ["/Users/username/projects"] })
The configuration is saved to config.json
in the server's working directory and persists between server restarts.
The fileWriteLineLimit
setting controls how many lines can be written in a single write_file
operation (default: 50 lines). This limit exists for several important reasons:
Why the limit exists:
Setting the limit:
// You can set it to thousands if you want
set_config_value({ "key": "fileWriteLineLimit", "value": 1000 })
// Or keep it smaller to force more efficient behavior
set_config_value({ "key": "fileWriteLineLimit", "value": 25 })
Maximum value: You can set it to thousands if you want - there's no technical restriction.
Best practices:
Create a dedicated chat for configuration changes: Make all your config changes in one chat, then start a new chat for your actual work.
Be careful with empty allowedDirectories
: Setting this to an empty array ([]
) grants access to your entire filesystem for file operations.
Use specific paths: Instead of using broad paths like /
, specify exact directories you want to access.
Always verify configuration after changes: Use get_config({})
to confirm your changes were applied correctly.
You can specify which shell to use for command execution:
// Using default shell (bash or system default)
execute_command({ "command": "echo $SHELL" })
// Using zsh specifically
execute_command({ "command": "echo $SHELL", "shell": "/bin/zsh" })
// Using bash specifically
execute_command({ "command": "echo $SHELL", "shell": "/bin/bash" })
This allows you to use shell-specific features or maintain consistent environments across commands.
execute_command
returns after timeout with initial outputread_output
with PID to get new outputforce_terminate
to stop if neededIf you need to debug the server, you can install it in debug mode:
# Using npx
npx @wonderwhy-er/desktop-commander@latest setup --debug
# Or if installed locally
npm run setup:debug
This will:
--inspect-brk=9229
flagTo connect a debugger:
chrome://inspect
and look for the Node.js instanceImportant debugging notes:
--inspect-brk
flag)Troubleshooting:
This project extends the MCP Filesystem Server to enable:
Created as part of exploring Claude MCPs: https://youtube.com/live/TlbjFDbl5Us
read_file
command can now fetch content from URLsThe following features are currently being explored:
Desktop Commander MCP is free and open source, but needs your support to thrive!
Our philosophy is simple: we don't want you to pay for it if you're not successful. But if Desktop Commander contributes to your success, please consider contributing to ours.
Ways to support:
Generous supporters are featured here. Thank you for helping make this project possible!
Your support allows us to:
Visit our official website at https://desktopcommander.app/ for the latest information, documentation, and updates.
Learn more about this project through these resources:
Claude with MCPs replaced Cursor & Windsurf. How did that happen? - A detailed exploration of how Claude with Model Context Protocol capabilities is changing developer workflows.
Claude Desktop Commander Video Tutorial - Watch how to set up and use the Commander effectively.
This Developer Ditched Windsurf, Cursor Using Claude with MCPs
Join our Discord server to get help, share feedback, and connect with other users.
https://www.youtube.com/watch?v=ly3bed99Dy8&lc=UgyyBt6_ShdDX_rIOad4AaABAg
https://www.youtube.com/watch?v=ly3bed99Dy8&lc=UgztdHvDMqTb9jiqnf54AaABAg
https://www.youtube.com/watch?v=ly3bed99Dy8&lc=UgyQFTmYLJ4VBwIlmql4AaABAg
https://www.youtube.com/watch?v=ly3bed99Dy8&lc=Ugy4-exy166_Ma7TH-h4AaABAg
https://medium.com/@pharmx/you-sir-are-my-hero-62cff5836a3e
If you find this project useful, please consider giving it a ⭐ star on GitHub! This helps others discover the project and encourages further development.
We welcome contributions from the community! Whether you've found a bug, have a feature request, or want to contribute code, here's how you can help:
All contributions, big or small, are greatly appreciated!
If you find this tool valuable for your workflow, please consider supporting the project.
Here are answers to some common questions. For a more comprehensive FAQ, see our detailed FAQ document.
It's an MCP tool that enables Claude Desktop to access your file system and terminal, turning Claude into a versatile assistant for coding, automation, codebase exploration, and more.
Unlike IDE-focused tools, Claude Desktop Commander provides a solution-centric approach that works with your entire OS, not just within a coding environment. Claude reads files in full rather than chunking them, can work across multiple projects simultaneously, and executes changes in one go rather than requiring constant review.
No. This tool works with Claude Desktop's standard Pro subscription ($20/month), not with API calls, so you won't incur additional costs beyond the subscription fee.
Yes, when installed through npx or Smithery, Desktop Commander automatically updates to the latest version when you restart Claude. No manual update process is needed.
Join our Discord server for community support, check the GitHub issues for known problems, or review the full FAQ for troubleshooting tips. You can also visit our website FAQ section for a more user-friendly experience. If you encounter a new issue, please consider opening a GitHub issue with details about your problem.
Please create a GitHub Issue with detailed information about any security vulnerabilities you discover. See our Security Policy for complete guidelines on responsible disclosure.
Desktop Commander collects limited anonymous telemetry data to help improve the tool. No personal information, file contents, file paths, or command arguments are collected.
get_usage_stats
toolget_usage_stats
tool to view your personal usage patterns, success rates, and performance metricsgive_feedback_to_desktop_commander
tool to provide feedback about Desktop CommanderExternal telemetry (sent to analytics services) is enabled by default but can be disabled:
Note: This only disables external telemetry. Local usage analytics remain active for tool functionality but is not share externally
For complete details about data collection, please see our Privacy Policy.
MIT
FAQs
MCP server for terminal operations and file editing
The npm package @wonderwhy-er/desktop-commander receives a total of 11,193 weekly downloads. As such, @wonderwhy-er/desktop-commander popularity was classified as popular.
We found that @wonderwhy-er/desktop-commander demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Four npm packages disguised as cryptographic tools steal developer credentials and send them to attacker-controlled Telegram infrastructure.
Security News
Ruby maintainers from Bundler and rbenv teams are building rv to bring Python uv's speed and unified tooling approach to Ruby development.
Security News
Following last week’s supply chain attack, Nx published findings on the GitHub Actions exploit and moved npm publishing to Trusted Publishers.