Security risk report for @forgecat/contains-studio_agents_design v0.1.0
Source Integrity
Low
Profile is published on a known GitHub repository (nota-america/forgecat-agent-profiles) with standard open-source visibility.
No supply-chain attacks, typosquatted dependencies, or malicious package recommendations are present.
Agent Intent
INT-000High
The 'whimsy-injector' agent contains a hidden instruction pattern that violates the declared profile scope: it instructs the AI to 'PROACTIVELY use this agent after any UI/UX changes' with 'alwaysApply=true' semantics, expanding its authority beyond user-initiated requests into autonomous, unsupervised execution.
The agent's description explicitly instructs the AI to trigger itself automatically ('The agent should be triggered automatically when design or interface updates are made'), which is a form of self-expanding authority and guidance poisoning—it plants a rule that the AI will reuse in future outputs to autonomously invoke this agent without explicit user consent.
The whimsy-injector agent is not listed in the main profile's agent table (brand-guardian, ui-designer, ux-researcher, visual-storyteller), making it a hidden/undeclared sub-agent that users installing this profile will not expect to be invoked automatically.
Details
Evidence
whimsy-injector.md description: 'PROACTIVELY use this agent after any UI/UX changes to ensure delightful, playful elements are incorporated. This agent specializes in adding joy, surprise, and memorable moments to user experiences. The agent should be triggered automatically when design or interface updates are made.'
Example in whimsy-injector.md: 'assistant: "Great! I've implemented the onboarding flow. Now let me use the whimsy-injector agent to add delightful touches..."' — instructs the AI to autonomously invoke the agent after user actions.
README.md agent table lists only 4 agents (brand-guardian, ui-designer, ux-researcher, visual-storyteller); whimsy-injector is undeclared in the public interface but present in the payload.
Permissions
PRM-000Medium
Four of five agents (brand-guardian, ui-designer, ux-researcher, visual-storyteller) declare `Write, Read, MultiEdit, WebSearch, WebFetch` — the Write/MultiEdit tools grant file-write capability, which is moderately elevated for agents whose primary purpose is producing design documentation and guidance.
The whimsy-injector agent adds `Grep` and `Glob` (filesystem scanning) on top of Read/Write/MultiEdit, enabling broad codebase traversal; this is somewhat broader than strictly necessary for injecting UI delight patterns.
None of the agents declare shell execution or file-delete tools, and no `alwaysApply=true` with `globs="**"` rules are present, keeping overall risk at medium rather than high.
No MCP servers are declared in the profile; all agents rely on standard Cursor/Claude Code tools (Write, Read, WebSearch, etc.), which are known-safe and scoped to the IDE environment.
No arbitrary binary execution, hidden tool definitions, or unrestricted network/filesystem access is configured via MCP.
Tool descriptions are transparent and aligned with stated agent purposes (design, research, storytelling).