agentforge
Warn
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill frequently executes shell commands via
subprocess.runto gather system information. This includes runningpip list,npm list, andcode --list-extensionsinagentforge/scanner/tools.py, as well as executing theclaudeCLI inagentforge/llm.pyto interact with the LLM. - [DATA_EXFILTRATION]: The
ToolScannerinagentforge/scanner/tools.pyreads sensitive local configuration files, specifically~/.claude/claude_desktop_config.jsonand other Claude Desktop configuration paths. These files often contain API keys or environment variables for MCP servers. While the current logic primarily extracts server names, the entire file is parsed into memory, and the resulting system profile is sent to the LLM. - [REMOTE_CODE_EXECUTION]: The
MVPBuilderinagentforge/mvp/builder.pyis designed to generate complete, runnable Python project skeletons. This involves dynamic code generation where the file content is determined by LLM output. Executing the generated code (as suggested by the setup instructions) could lead to arbitrary code execution if the LLM output is compromised. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection in
agentforge/collector/data.py. It fetches open issue titles from arbitrary GitHub repositories and interpolates them directly into a JSON structure that is passed to the LLM. An attacker could place a malicious instruction in a GitHub issue title to influence the project brief or generated code. - Ingestion points:
agentforge/collector/data.py(Fetches issue titles fromapi.github.com/repos/{repo}/issues). - Boundary markers: The untrusted data is encapsulated in a JSON object within a markdown block, providing moderate isolation but no strict sanitization.
- Capability inventory: The skill can execute shell commands (
subprocess.runinllm.py), write files to the local filesystem (mvp/builder.py), and make outbound network requests (collector/data.py). - Sanitization: No sanitization or filtering is performed on the GitHub issue titles before they are processed by the LLM.
Audit Metadata