Skills
skills/jame581/godotprompter/multiplayer-basics/Gen Agent Trust Hub

multiplayer-basics

Fail

Audited by Gen Agent Trust Hub on Apr 23, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The GDScript and C# examples for request_spawn allow a remote client to specify a scene_path which the server loads and instantiates.
  • Evidence: In SKILL.md (GDScript), the function @rpc("any_peer", "reliable") func request_spawn(scene_path: String, ...) calls load(scene_path).
  • Evidence: In SKILL.md (C#), the function [Rpc(MultiplayerApi.RpcMode.AnyPeer, ...)] public void RequestSpawn(string scenePath, ...) calls GD.Load<PackedScene>(scenePath).
  • Vulnerability: The server uses load() or GD.Load() on strings provided directly by untrusted network peers. In Godot, loading a scene file (.tscn or .res) can trigger scripts attached to nodes within that scene. This allows an attacker to achieve arbitrary code execution on the server.
  • Risk: An attacker can instantiate any scene in the project, potentially accessing administrative tools, triggering debug functionality, or causing crashes. If the project allows any file uploads or modifications, this could lead to full system compromise.
  • [COMMAND_EXECUTION]: The use of untrusted network strings in the load() function allows external users to control the execution flow of the server.
  • Mitigation: Never pass file paths over the network. Use a server-side lookup table (Dictionary) where clients send an integer ID or a safe key, and the server maps that to a predefined, safe resource path.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 23, 2026, 03:46 AM
Security Audit — agent-trust-hub — multiplayer-basics