It is important to bear in mind that many files within an XMake project contain commands which are EXECUTED, at build time. Write access to XMake project directories should be carefully guarded.
By default, the following option is set in XMake.conf:
XMAKE_AUTODETECT_SOURCE_FILES=1 # auto-detection enabled

 Source file auto-detection is the most efficient mode
    of operation, since it requires less maintenance of
    makefiles.

 If source files contain commands to be executed by
    xmake, enabling XMAKE_AUTODETECT_SOURCE_FILES assumes
    that all source files can be TRUSTED.

 In the case of the 'c' XMExtension, this is not an
    issue since .c source files are only compiled and do not
    contain commands to execute at build time. In the case
    of the 'phpc' XMExtension, however, .phpc files contain
    commands to be executed by PHP to produce output.

 Simply disabling XMAKE_AUTODETECT_SOURCE_FILES offers
    no security against attack: malicious commands could
    just as easily be inserted directly into XMake.conf, or
    any makefiles, as well as into source files.

 Disabling XMAKE_AUTODETECT_SOURCE_FILES may be useful
    to provide a level of administrative control in cases
    where write access to XMake project directories is
    shared by a group of developers and malicious attack is
    not an issue. In this case, source must manually be
    added to the special makefile: 'XM_sources.mkhs'.

 XMake should never be run as root, unless root has
    exclusive write access to the project directory and to
    $(XMAKE_HOME), as well as to external XMake project
    directories, if XMAKE_RECURSION=1.