Mac's open command - too powerful

  • administrators

    I don't actually recommend this because, as the title suggests, there's a potential security risk here if someone gets ahold of your password or token, but it's still pretty cool to play with and it solved this problem so I thought I'd post it as an example.

    I added a command to my mac that runs the "open" command and enabled parameters.

    Then I used slash command with the new Slack app to open Finder to my desktop folder:

    /triggercmd open on mac with ~/Desktop

    Here's the dangerous bit: I also found I could run any arbitrary command on my mac.

    I could also calculator with this command:

    /triggercmd open on mac with -a calculator

    The "open" command is a little too powerful because it lets you run any command. So if you do this, don't give out your token or password to if you do this (it's never a good idea to give those out anyway).

    I warned you but in case you want to do it anyway:

         /triggercmd-token [paste your token here]
    • Run this slash command:
         /triggercmd open on mac with ~/Desktop
    • Profit.

    If you just want to open Calculator, a safer Slack command would be:

    /triggercmd calculator

Log in to reply

Looks like your connection to TRIGGERcmd Forum was lost, please wait while we try to reconnect.