forge-init
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill automates the installation of a 'Token Saver' by creating executable scripts (
~/.claude/hooks/output-filter.jsand~/.claude/hooks/token-saver.sh) and patching the agent's global settings file (~/.claude/settings.json) to register these as PreToolUse hooks. This mechanism allows the scripts to intercept, wrap, and modify the execution output of numerous system tools including git, npm, pip, and docker. - [PROMPT_INJECTION]: The skill ingests untrusted data from local project configuration files (such as
package.json,pyproject.toml, andCargo.toml) to detect the tech stack and pre-fill the.forge/config.ymlfile. This represents an indirect prompt injection surface as the skill lacks explicit boundary markers or sanitization logic when interpolating these detected values into the agent's context. - [DATA_EXPOSURE_AND_EXFILTRATION]: The skill identifies and targets sensitive file paths like
.envand.forge/secrets/for inclusion in.gitignore. While this is a security-positive action, it confirms the skill's capability to traverse the filesystem and identify sensitive credentials.
Audit Metadata