Skills
skills/delexw/claude-code-misc/forge/Gen Agent Trust Hub

forge

Warn

Audited by Gen Agent Trust Hub on Mar 26, 2026

Risk Level: MEDIUMPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection. It ingests data from external sources such as JIRA tickets, Confluence pages, GitHub, and arbitrary URLs (via WebFetch), and incorporates this content into prompts used to generate an implementation 'battle plan.' A malicious external source could provide instructions designed to manipulate the agent into executing unauthorized shell commands during the execution phase.\n
  • Ingestion points: JIRA URLs, Confluence pages, GitHub repositories, Figma designs, and arbitrary web links found in ticket descriptions.\n
  • Boundary markers: The skill does not implement robust delimiters or 'ignore' instructions for the ingested content, although Phase 5 does define scope boundaries for subtasks.\n
  • Capability inventory: Both the main orchestrator and the dynamically generated skill are granted Bash, Write, Edit, and Read permissions.\n
  • Sanitization: There is no evidence of validation or escaping for the data retrieved from external sources before it is interpolated into model prompts.\n- [REMOTE_CODE_EXECUTION]: The skill employs a dynamic execution pattern by generating a new skill configuration file (SKILL.md) at runtime and subsequently invoking it. Because the logic within this generated skill and its accompanying execution plan is derived from untrusted external inputs (JIRA and web content), this constitutes a high-risk dynamic execution vector where external data can influence agent capabilities and behavior.\n- [COMMAND_EXECUTION]: The skill frequently uses the Bash tool for local operations. This includes file system management, such as creating directory structures and recursively deleting the dynamic skill directory after execution. It also performs network probing by scanning localhost ports to identify and connect to development servers.\n- [EXTERNAL_DOWNLOADS]: The skill is designed to fetch information from multiple external platforms, including Atlassian JIRA and Confluence, GitHub, and Figma. It also uses the WebFetch tool to retrieve content from arbitrary URLs found within ticket summaries and descriptions, which may lead to the ingestion of data from untrusted third-party domains.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 26, 2026, 10:42 AM