The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): This skill defines an attack surface where an agent processes untrusted external data (project files via XcodeRead, XcodeGrep) and possesses high-privilege capabilities to act on that data.
Ingestion points: XcodeRead, XcodeGrep, XcodeLS, XcodeGlob, GetBuildLog read contents from the local filesystem.
Boundary markers: None specified in the tool definitions to distinguish between code and potential embedded instructions.
Capability inventory: XcodeWrite, XcodeUpdate, XcodeRM (destructive), XcodeMV (destructive), and ExecuteSnippet (arbitrary code execution).
Sanitization: No sanitization or validation of the processed file content is described.
[Data Exposure & Exfiltration] (HIGH): The file reading tools (XcodeRead, XcodeGrep, XcodeLS) allow the agent to access any file within the project scope. This includes source code, configuration files, and potentially sensitive environment files (e.g., .env, secrets.swift) or service account keys stored in the workspace.
[Dynamic Execution] (HIGH): The ExecuteSnippet tool allows for the execution of arbitrary Swift code. While the documentation notes a "sandboxed environment," this capability can be abused to perform unauthorized computations or logic if the input code is influenced by malicious instructions found in the project files.
[Command Execution] (HIGH): Tools like XcodeRM (Remove) and XcodeMV (Move) are explicitly labeled as destructive. An agent could be manipulated into deleting critical project infrastructure or source code.
[Metadata Poisoning] (LOW): The skill is a "reference" (NO_CODE), meaning it doesn't contain the implementation of the tools but instructs the agent on how to call them. This is a common pattern for MCP (Model Context Protocol) bridges but relies entirely on the security of the underlying xcrun mcpbridge server.

axiom-xcode-mcp-ref