Security risk report for @forgecat/openai_skills_aspnet-core v0.0.10
Source Integrity
Low
The profile is sourced from OpenAI's official skills repository (https://github.com/openai/skills) with a documented commit hash and Apache-2.0 license.
The content is curated, well-maintained documentation aligned with current Microsoft ASP.NET Core guidance as of March 2026.
No supply-chain risks such as typosquatted dependencies, untrusted package registries, or obfuscated external payloads are present.
Agent Intent
Low
The profile contains only legitimate technical guidance for ASP.NET Core development patterns, best practices, and framework usage.
No instructions attempt to manipulate the AI into reading credentials, exfiltrating data, ignoring system instructions, or installing malicious payloads.
The content does not plant poisoned guidance, typosquatted dependencies, or security-weakening defaults; it consistently recommends official Microsoft patterns, built-in framework features, and secure defaults (HTTPS, secrets management, authorization boundaries).
Details
Evidence
All references point to official Microsoft Learn documentation (learn.microsoft.com/aspnet/core).
Guidance explicitly recommends secure practices: 'use Secret Manager in development', 'use a secure external store in production', 'do not commit secrets to source control'.
No hidden instructions or role-hijacking language present; the skill is purely educational and reference-oriented.
Permissions
Low
The profile declares no tools, MCP servers, or executable hooks that would require elevated permissions.
The skill is a pure documentation and guidance artifact with no runtime authority over file systems, shells, networks, or external services.
No `alwaysApply` rules, glob patterns, or excessive agency mechanisms are present.
Details
Evidence
'## Declared tools (normalized categories; paths are untrusted)' section is empty.
'## MCP servers (untrusted data)' section is empty.
The profile is read-only reference material designed to guide an AI's reasoning, not to execute or modify systems.
MCP Risk
Low
No MCP servers are defined in the profile.
The skill contains only markdown documentation and does not invoke external binaries, network calls, or unrestricted filesystem access.
All external references are to official Microsoft documentation URLs, which are safe and well-known.
Details
Evidence
'## MCP servers (untrusted data)' section is empty.
All links in the content point to learn.microsoft.com and github.com/dotnet/AspNetCore.Docs, both legitimate and trusted sources.