Security risk report for @forgecat/fivetaku_fablize v0.1.2
Source Integrity
Low
Profile sourced from GitHub (fivetaku/fablize) with MIT license and commit hash provided for verification.
Original repository and author clearly attributed; no obfuscated or anonymous origin.
ForgeCat registry attribution and version tracking enable supply-chain traceability.
Agent Intent
Low
Content describes and documents legitimate procedural workflows (verification, investigation, multi-step completion) without injecting hidden instructions or role hijacking.
No instructions to ignore system prompts, read credentials, exfiltrate data, or hide its own instructions.
Guidance is transparent and educational: teaches verification grounding, investigation protocol, and early-stop detection as best practices—not as poisoned defaults that would steer future outputs toward attacker goals.
The setup command (GitHub star via `gh`) is disclosed upfront and requires explicit user consent; not a hidden side effect.
Details
Evidence
README: 'fablize applies only the procedures whose effect was verified. It does not raise the model's ceiling; it makes the model reach its own ceiling.'
SKILL.md: 'Principle: a harness cannot raise a model's ceiling. It makes the model go all the way to its own ceiling — by enforcing verification, completion, and investigation as procedure.'
setup.md: 'The user already consented in Step 1, so do NOT ask about the star again.' — consent is explicit, not hidden.
fablize-block.md: '[always] Lead with the outcome · stay within the requested scope (no incidental refactors) · ground completion claims in this session's tool results · confirm before destructive or hard-to-reverse actions.' — standard defensive practices, not manipulation.
Permissions
PRM-003Medium
Three hook scripts (router.sh, router-codex.sh, finish-the-work.sh) are referenced but their tool declarations are absent — the static scanner flagged these as hook-no-tool-match, meaning their actual permission scope cannot be verified.
The setup command instructs the agent to run bash scripts, write files to the home directory (~/.fablize/), and mutate CLAUDE.md — file_write/file_mutate operations that go somewhat beyond a pure workflow-guidance harness.
No declared tools with shell or unrestricted filesystem access were found in the normalized tool list, but the bash-execution pattern embedded in skill instructions effectively grants shell authority at runtime.
Details
Findings
./hooks/router.sh
./hooks/router-codex.sh
./hooks/finish-the-work.sh
Evidence
"bash \"${FABLIZE_ROOT}/setup/setup.sh\" <local|global>" — shell execution instructed by skill
MCP Risk
Low
No MCP servers declared in the profile.
Dependencies are standard, well-known tools (bash, python3, optional gh CLI) with no hidden binary execution or arbitrary network access.
Scripts are local, scoped, and transparent; no unknown or obfuscated payloads.
Details
Evidence
Profile declares: 'bash for hook and setup scripts, python3 for the goal ledger and setup helpers, Optional: gh for setup's GitHub star helper.'
No MCP server definitions present in untrusted_profile_content.
ForgeCat