Apple Native Tools
Integrates with Apple's native applications to enable searching contacts, managing notes, and sending messages within the macOS ecosystem.
0Tools
10Findings
3.0kStars
Mar 22, 2026Last Scanned
3 critical · 6 high · 1 low findings detected
Security Category Deep Dive
Prompt Injection
Prompt & context manipulation attacks
69
Maturity
14
Rules
5
Sub-Categories
1
Gaps
64%
Implemented
56
Tests
1
Stories
100%3 rules
Injection via tool descriptions and parameter fields
GAP-001Prompt Injection Coverage GapMissing detection coverage for emerging prompt injection attack variants not addressed by current rules
100%4 rules
Hidden instructions via external content and tool responses
100%2 rules
Context window saturation and prior-approval exploitation
100%3 rules
Payload hiding via invisible chars, base64, schema fields
100%2 rules
Injection via prompt templates and runtime tool output
Findings10
3critical
6high
1low
Critical3
criticalL7Transitive MCP Server DelegationMCP06-excessive-permissionsAML.T0054
Pattern "(?:connect|initialize).*(?:mcp|modelcontextprotocol).*(?:server|endpoint|url)" matched in source_code: "initialize MCP server" (at position 37968)
MCP servers MUST NOT create client connections to other MCP servers without explicit user disclosure. If delegation is required, declare all downstream servers in the server's capabilities and tool descriptions. Never forward user credentials to sub-servers. Implement a trust boundary between the approved server and any delegated servers. Log all transitive delegations for audit.
criticalQ3Localhost MCP Service HijackingMCP07-insecure-configT1557
Pattern "(?:express|fastify|koa|hono).*(?:listen|server)(?!.*(?:host[_\s]?(?:check|valid|verify)|helmet))" matched in source_code: "hono/node-server" (at position 48334)
MCP servers binding to localhost must: (1) validate the Host header to prevent DNS rebinding attacks (CVE-2025-49596), (2) set strict CORS origins instead of wildcard '*', (3) require authentication tokens even for local connections, (4) use random high ports instead of predictable defaults. For stdio transport, validate all input at the JSON-RPC level before processing. Consider using Docker MCP Gateway or similar container isolation.
criticalQ13MCP Bridge Package Supply Chain AttackMCP10-supply-chainAML.T0054
Pattern "["'](?:mcp-remote|mcp-proxy|mcp-gateway)["']\s*:\s*["'](?:\^|~|\*|latest)" matched in source_code: ""mcp-proxy": "^" (at position 48493)
MCP bridge packages (mcp-remote, mcp-proxy, @modelcontextprotocol/sdk, fastmcp) are high-value supply chain targets — CVE-2025-6514 (CVSS 9.6) in mcp-remote affected 437,000+ installs. Always pin exact versions (no ^ or ~ ranges). Use lockfiles (package-lock.json, pnpm-lock.yaml, uv.lock). Never run `npx mcp-remote` without version pinning. Verify package integrity with `npm audit` or `pip-audit` before deployment. Reference: CVE-2025-6514, OWASP ASI04.
High6
highK13Unsanitized Tool OutputMCP02-tool-poisoningAML.T0054
Pattern "(?:readFile|read_file|open).*(?:return|respond|result|content|text)(?!.*(?:sanitize|escape|encode|strip|filter|validate|truncate))" matched in source_code: "openReminder(searchText" (at position 26277)
Sanitize all external data before including in tool responses. Implement output encoding that neutralizes prompt injection patterns. Truncate excessively long content. Validate structure before passing database results. Apply the principle: treat all external data as untrusted, even in tool outputs. Required by CoSAI MCP-T4.
highD1Known CVEs in DependenciesMCP08-dependency-vuln
Dependency "@hono/node-server@1.13.8" has known CVEs:
Update dependencies to versions that patch known CVEs. Run 'npm audit fix' or 'pip-audit' to identify and resolve vulnerable dependencies.
highN1JSON-RPC Batch Request AbuseMCP07-insecure-configAML.T0054
Pattern "Promise\.all\s*\(\s*(?:batch|requests|messages|items)\s*\.map\s*\(" matched in source_code: "Promise.all(
messages.map(" (at position 12605)
Enforce a maximum batch size for JSON-RPC requests (recommended: 20-25 requests per batch). Reject batches exceeding the limit with a -32600 (Invalid Request) error. Implement per-batch timeout and memory limits. Reference: JSON-RPC 2.0 Section 6 (Batch) does not mandate limits — servers MUST enforce them.
highK16Unbounded Recursion / Missing Depth LimitsMCP07-insecure-configAML.T0054
Pattern "(invoke|call|execute)[_\s-]?(?:tool|agent|self)(?!.*(?:depth|level|limit|max[_\s-]?(?:depth|recursi|iter|call)|count))" matched in source_code: "CallTool" (at position 207)
Add explicit depth/recursion limits to all recursive operations. Use iterative approaches where possible. Set maximum depth for directory walking (max_depth=10), tree traversal (max_level=20), and agent re-invocation (max_calls=5). Implement circuit breakers that halt after N iterations. Required by EU AI Act Art. 15 (robustness) and OWASP ASI08.
highD1Known CVEs in DependenciesMCP08-dependency-vuln
Dependency "@modelcontextprotocol/sdk@1.5.0" has known CVEs:
Update dependencies to versions that patch known CVEs. Run 'npm audit fix' or 'pip-audit' to identify and resolve vulnerable dependencies.
highK1Absent Structured LoggingMCP09-logging-monitoringAML.T0054
Pattern "console\.(log|warn|error)\s*\(.*(?:tool|request|handler|execute|invoke)" matched in source_code: "console.error("Error in reminders tool" (at position 27918)
Implement structured logging (pino, winston, or equivalent) for all tool call handlers. Every tool invocation should log: timestamp, tool name, caller identity, parameters (sanitized), result status, and duration. Required by ISO 27001 A.8.15, CoSAI MCP-T12, and NIST AI RMF MEASURE 2.6.
Low1
lowF4MCP Spec Non-ComplianceMCP07-insecure-config
Server fails MCP spec compliance checks: required:server_name; required:server_version; required:protocol_version; recommended:tool_descriptions; recommended:parameter_descriptions
Follow the MCP specification for server metadata. Include server name, version, and protocol version. Provide descriptions for all tools and parameters.