Security Advisory: Prompt Injection Risk via Build Output and Dependency Content #291
Description
Summary
XcodeBuildMCP exposes Xcode build, test, and simulator control to AI assistants. Build output (warnings, errors, logs) can contain attacker-controlled strings from malicious dependencies, and the AI processes this output directly.
Attack Vector
- A malicious CocoaPod/SPM dependency includes prompt injection payloads in build warnings, error messages, or deprecation notices
- Developer builds the project via XcodeBuildMCP → build output with injected strings enters the LLM context
- Injection instructs the AI to modify build configuration (disable code signing, add malicious build phases, alter Info.plist)
- Alternatively: injection instructs AI to read and exfiltrate build environment variables containing signing certificates, API keys, or provisioning profiles
Impact
- Build Tampering: AI could disable code signing, add pre/post-build scripts that exfiltrate data, or modify entitlements
- Secret Exfiltration: Build environments often contain signing certificates, API keys, and provisioning profiles
- Supply Chain Attack: A single malicious dependency could compromise the build pipeline of any project using XcodeBuildMCP
- Simulator Manipulation: AI could install malicious apps on simulators or extract data from running simulator instances
OWASP Classification
- OWASP LLM Top 10: LLM01 (Prompt Injection)
- OWASP Agentic Top 10: AG01 (Prompt Injection via Tool Results), AG07 (Supply Chain Vulnerability)
Recommendation
- Add a Security Warning to the README about processing untrusted build output
- Sanitize build output before passing to LLM context
- Implement read-only mode as default (no build configuration changes)
- Add allowlists for which build settings the AI can modify
- Warn about the risk of malicious dependencies in the context of AI-assisted development