Warden Scheduled Scan Results
Run: 2026-06-29T07:45:34.807Z
Commit: db7e055
Summary
| Severity |
Count |
| High |
3 |
| Medium |
2 |
| Low |
1 |
Findings
UGT-9T4 process.chdir() mutates global state unsafely in async context (L107-L118) · high
Using process.chdir() to set the working directory before invoking unzip is a process-wide mutation; any concurrent async request handled by the MCP server during the await commandExecutor(...) call will observe the wrong working directory. Pass the target directory to unzip directly with -d instead.BDL-GU4 Downloaded template returns repo root instead of 'template' subdirectory (L124-L128) · medium
The local-override path returns join(localPath, 'template'), but the download path returns the bare extracted repo root (extractedDir) without appending /template, giving callers inconsistent paths for the same platform.
TC7-XAK .ts extension import will fail production build (L31) · high
The import on line 31 uses a .ts extension, which is disallowed by tsconfig.build.json (allowImportingTsExtensions: false) and will break compilation. All other local imports in this file correctly use .js extensions.
Suggested fix: Change the .ts extension to .js to match every other local import in this file and satisfy the build tsconfig.
GQT-YWP Remote script downloaded and executed without integrity verification (L64-L80) · high
The installXcodemake function downloads an executable script from GitHub over HTTPS and runs it without verifying a checksum or cryptographic signature, making this a supply-chain attack vector if the upstream repository is compromised or the content is tampered with.
5JD-TZZ Unguarded JSON.parse throws on malformed simctl output instead of returning error result (L65-L67) · medium
Wrap JSON.parse(listResult.output) in a try-catch and return { simulator: null, error: '...' } so callers receive a structured error instead of an unhandled SyntaxError when simctl emits unexpected output.
8BF-Z7V Zod .int() message contains a field description instead of a validation error message (L38) · low
The .int({ message: 'HID keycode to press (0-255)' }) message reads as a field description, not an error — when a non-integer is submitted, users will see 'HID keycode to press (0-255)' as the validation failure reason. Use a proper error like 'keyCode must be an integer' instead.
Suggested fix: Replace the descriptive message with a proper validation error message.
Generated by Warden
Warden Scheduled Scan Results
Run: 2026-06-29T07:45:34.807Z
Commit:
db7e055Summary
Findings
src/utils/template-manager.tsUGT-9T4process.chdir() mutates global state unsafely in async context (L107-L118) · highUsing
process.chdir()to set the working directory before invokingunzipis a process-wide mutation; any concurrent async request handled by the MCP server during theawait commandExecutor(...)call will observe the wrong working directory. Pass the target directory tounzipdirectly with-dinstead.BDL-GU4Downloaded template returns repo root instead of 'template' subdirectory (L124-L128) · mediumThe local-override path returns
join(localPath, 'template'), but the download path returns the bare extracted repo root (extractedDir) without appending/template, giving callers inconsistent paths for the same platform.src/utils/xcodebuild-domain-results.tsTC7-XAK.tsextension import will fail production build (L31) · highThe import on line 31 uses a
.tsextension, which is disallowed bytsconfig.build.json(allowImportingTsExtensions: false) and will break compilation. All other local imports in this file correctly use.jsextensions.Suggested fix: Change the
.tsextension to.jsto match every other local import in this file and satisfy the build tsconfig.src/utils/xcodemake.tsGQT-YWPRemote script downloaded and executed without integrity verification (L64-L80) · highThe
installXcodemakefunction downloads an executable script from GitHub over HTTPS and runs it without verifying a checksum or cryptographic signature, making this a supply-chain attack vector if the upstream repository is compromised or the content is tampered with.src/utils/simulator-steps.ts5JD-TZZUnguarded JSON.parse throws on malformed simctl output instead of returning error result (L65-L67) · mediumWrap
JSON.parse(listResult.output)in a try-catch and return{ simulator: null, error: '...' }so callers receive a structured error instead of an unhandledSyntaxErrorwhensimctlemits unexpected output.src/mcp/tools/ui-automation/key_press.ts8BF-Z7VZod.int()message contains a field description instead of a validation error message (L38) · lowThe
.int({ message: 'HID keycode to press (0-255)' })message reads as a field description, not an error — when a non-integer is submitted, users will see 'HID keycode to press (0-255)' as the validation failure reason. Use a proper error like'keyCode must be an integer'instead.Suggested fix: Replace the descriptive message with a proper validation error message.
Generated by Warden