forge-idiomatic-engineer
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill directs the agent to locate and execute binary entry points directly from the local repository, such as the 'Forge CLI command', 'project wrapper', or 'checked-in build output'. This pattern allows a malicious repository to supply a compromised binary that the agent would then execute with its active session privileges.
- [COMMAND_EXECUTION]: The instruction to use the 'lsof' command with a port value parsed from 'forge.toml' (e.g., 'lsof -iTCP:') creates a potential command injection vulnerability if the configuration data contains shell-sensitive characters like semicolons or pipes.
- [PROMPT_INJECTION]: The skill exhibits a large indirect prompt injection surface. It is designed to ingest and act upon data from external repositories while possessing high-privilege capabilities including code generation, file modification, and command execution.
- Ingestion points: 'forge.toml', 'Cargo.toml', 'src/main.rs', 'migrations/', and frontend configuration files like 'package.json'.
- Boundary markers: Absent. No instructions are provided to delineate or ignore potential instructions embedded within the repository data.
- Capability inventory: The skill utilizes subprocess execution for 'forge', 'cargo', 'bun', 'npm', 'lsof', and 'curl', and performs extensive file system write operations.
- Sanitization: Absent. The skill encourages direct adoption of patterns and commands found in the repository without validation.
- [EXTERNAL_DOWNLOADS]: The skill manages project dependencies via standard package managers (npm, bun, cargo) and uses the 'forge test' command, which facilitates the download and installation of Playwright browsers.
Audit Metadata