We checked this and rejected itsecurity

Apple Shortcuts MCP: why it is not safe to use

Apple Shortcuts MCP shells out to the macOS shortcuts CLI with shortcut names and inputs interpolated into an unescaped command string, creating a command-injection path.

The Apple Shortcuts MCP server (recursechat/mcp-server-apple-shortcuts) is a small, readable tool with no network calls and no hardcoded secrets. It earned a warn, not a fail, because of how it runs local commands.

What we found

The server builds shell commands by interpolating values directly into a template string, for example `shortcuts run "${name}" -i "${input}"`, and passes them to `execSync`. Shell metacharacters in those values are not escaped. Because shortcut names and input values can originate from an LLM or a compromised upstream context, a crafted value could break out of the quotes and run additional commands. Those commands would run with your normal macOS privileges and can trigger any local Shortcut. We saw no data exfiltration, no obfuscation, and no direct credential access; the concern is limited to this unescaped input path.

What to do instead

Prefer running the server only against inputs you control, not values passed through from untrusted content. If you use it, run it in a low-privilege account and review the shortcut names and inputs first. Maintainers can close the gap by switching to an argument-array spawn (`execFile` or `spawn` without a shell) so values are passed as discrete arguments rather than interpolated into a shell string. We will re-review once inputs are no longer shell-interpolated.

Want the same outcome, safely? Use our checked skill instead.

Source: https://github.com/recursechat/mcp-server-apple-shortcuts

We report what our security review found at the time we checked, with the goal of keeping people safe. Projects change; if a maintainer has since fixed this, we are glad to recheck it. Email hello@agentpod.com.

Copied to clipboard. Go back to ChatGPT or Claude and paste it to teach the skill.