AgentReadyHomeAgent Listing

← ios-simulator-skill

ios-simulator-skill — agentic threat model

9.2AIVSS 9.2 · Critical

This agent acts as an automation wrapper for local iOS development tools, posing a high risk of local system compromise, arbitrary code execution, and host-level privilege escalation if malicious prompts or untrusted code repositories are processed.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.69Factor sum 4.4/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.60
Goal-Driven Planning
0.50
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.40
Contextual Awareness
0.60
Dynamic Identity
0.20
Multi-Agent Interactions
0.30
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — relies on Claude Code's underlying LLM. The primary threat is prompt injection or adversarial inputs within the codebase being tested, which could trick the model into executing malicious build commands.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — the agent primarily processes local workspace files and simulator state. The main threat is data exfiltration of local source code or simulator keychain data if the agent is compromised.

L3 · Agent Frameworks✓ mapped

The agent acts as an orchestration layer wrapping xcodebuild and simulator scripts. Insecure tool integration is a critical threat, as malicious inputs could lead to command injection or execution of arbitrary shell commands on the host machine.

L4 · Deployment & Infrastructure✓ mapped

Runs locally on the developer's machine to drive the iOS Simulator. This presents severe host compromise and privilege escalation risks, as xcodebuild and simulator commands typically run with the developer's local user permissions.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there are no mentioned logging, guardrail, or monitoring frameworks to detect anomalous simulator actions or unauthorized build flags.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — lacks explicit authorization controls, policy enforcement, or audit logging to restrict which xcodebuild targets or simulator commands can be executed.

L7 · Agent Ecosystem✓ mapped

Operates as a community skill integrated into Claude Code. Vulnerabilities in this skill can propagate to the broader Claude Code environment, allowing malicious repositories to compromise the developer's local agent ecosystem.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).