It’s not just those files though. KDE seems to parse anything with a [Desktop Entry] as the beginning of the file. Be VERY careful with .desktop files on KDE right now, as this is basically a zero-day vulnerability.
According to Penner, this vulnerability exists in KDE version 4 and 5 and allows commands embedded in .desktop and .directory files to be executed simply by opening a folder, or in some cases, extracting an archive to the desktop.
Penner reported the bug to Ubuntu after publicly disclosing it. The researcher originally didn’t report it as he “wanted to drop a 0day for Defcon that people could experiment with”.
Almost all Linux distributions are currently utilizing vulnerable versions of KDE.