Warden Scheduled Scan Results
Run: 2026-06-08T07:46:20.019Z
Commit: 9608457
Summary
| Severity |
Count |
| High |
1 |
| Medium |
5 |
Findings
YR9-AKH Remote script downloaded from mutable ref and executed without integrity check (L62-L79) · high
The installXcodemake function fetches a shell script from raw.githubusercontent.com/…/main/xcodemake — a mutable main branch ref — writes it to disk with executable permissions (0o755), and immediately executes it. There is no hash or signature verification, so a compromised or altered script on the main branch would be executed in the context of the MCP server.
ZBZ-U9C orientationToIOSConstant switch cases never match schema enum values (L44-L56) · medium
The schema defines orientation values as lowercase kebab-case (e.g. 'portrait', 'landscape-left'), but orientationToIOSConstant matches PascalCase strings ('Portrait', 'LandscapeLeft'). Every call falls through to default: return orientation, writing raw enum strings like 'portrait' into the XCConfig instead of valid iOS constants like UIInterfaceOrientationPortrait.
J6Y-RGG Unguarded JSON.parse in getSimulatorDeviceForSimulatorId can throw instead of returning null (L74-L75) · medium
Wrap the JSON.parse call in a try/catch so that malformed simctl output causes the function to return null instead of throwing an unhandled exception.
Suggested fix: Wrap JSON.parse in a try/catch and return null on parse failure
9KM-C4W Temp directory and zip file leaked on successful template download (L128) · medium
On the success path, cleanup is called with extractedDir (a subdirectory of tempDir), so tempDir itself and the template.zip inside it are never removed.KAN-6KS process.chdir in async context creates a race condition across concurrent downloads (L103-L117) · medium
Changing the global process working directory around an await means a concurrent downloadTemplate call can corrupt the CWD before unzip spawns, causing it to extract into the wrong directory.
JRJ-MUK Compiler diagnostics and test failures share a deduplication Set, enabling cross-type key collisions (L152-L200) · medium
Both compiler-diagnostic and test-failure fragments use the same seenDiagnostics Set for deduplication, so a test failure whose normalized key collides with an already-seen diagnostic key (or vice versa) will be silently dropped — possible when message contains |, since neither key function escapes delimiters.
Generated by Warden
Warden Scheduled Scan Results
Run: 2026-06-08T07:46:20.019Z
Commit:
9608457Summary
Findings
src/utils/xcodemake.tsYR9-AKHRemote script downloaded from mutable ref and executed without integrity check (L62-L79) · highThe
installXcodemakefunction fetches a shell script fromraw.githubusercontent.com/…/main/xcodemake— a mutablemainbranch ref — writes it to disk with executable permissions (0o755), and immediately executes it. There is no hash or signature verification, so a compromised or altered script on themainbranch would be executed in the context of the MCP server.src/mcp/tools/project-scaffolding/scaffold_ios_project.tsZBZ-U9CorientationToIOSConstantswitch cases never match schema enum values (L44-L56) · mediumThe schema defines orientation values as lowercase kebab-case (e.g.
'portrait','landscape-left'), butorientationToIOSConstantmatches PascalCase strings ('Portrait','LandscapeLeft'). Every call falls through todefault: return orientation, writing raw enum strings like'portrait'into the XCConfig instead of valid iOS constants likeUIInterfaceOrientationPortrait.src/mcp/tools/ui-automation/screenshot.tsJ6Y-RGGUnguarded JSON.parse in getSimulatorDeviceForSimulatorId can throw instead of returning null (L74-L75) · mediumWrap the
JSON.parsecall in a try/catch so that malformedsimctloutput causes the function to returnnullinstead of throwing an unhandled exception.Suggested fix: Wrap JSON.parse in a try/catch and return null on parse failure
src/utils/template-manager.ts9KM-C4WTemp directory and zip file leaked on successful template download (L128) · mediumOn the success path,
cleanupis called withextractedDir(a subdirectory oftempDir), sotempDiritself and thetemplate.zipinside it are never removed.KAN-6KSprocess.chdirin async context creates a race condition across concurrent downloads (L103-L117) · mediumChanging the global process working directory around an
awaitmeans a concurrentdownloadTemplatecall can corrupt the CWD beforeunzipspawns, causing it to extract into the wrong directory.src/utils/xcodebuild-run-state.tsJRJ-MUKCompiler diagnostics and test failures share a deduplication Set, enabling cross-type key collisions (L152-L200) · mediumBoth
compiler-diagnosticandtest-failurefragments use the sameseenDiagnosticsSet for deduplication, so a test failure whose normalized key collides with an already-seen diagnostic key (or vice versa) will be silently dropped — possible whenmessagecontains|, since neither key function escapes delimiters.Generated by Warden