Security risk report for @forgecat/voltagent_awesome-codex-subagents_data-ai v0.0.10
Source Integrity
Low
Profile references a legitimate public GitHub repository (VoltAgent/awesome-codex-subagents) with clear attribution and MIT license.
Commit hash and version tracking provided; no obfuscated or suspicious source indicators.
Agent Intent
Low
All 12 agent descriptions focus on legitimate professional roles (data engineer, ML engineer, database optimizer, etc.) with clear, bounded task scopes.
No instructions to read credentials, exfiltrate data, ignore system prompts, or execute remote payloads.
No guidance poisoning: recommendations align with standard industry practices (schema validation, testing, monitoring) without typosquatting, backdoored templates, or security-weakening defaults.
Details
Evidence
Agent instructions emphasize 'smallest safe fix', 'validation', 'quality checks', and 'residual risk' — all defensive postures.
Example: data-engineer agent states 'Favor minimal, safe pipeline changes that preserve data contracts and reduce downstream breakage risk.'
No instruction to fetch external URLs, install untrusted dependencies, or weaken security controls.
Permissions
Low
Agents declare appropriate sandbox modes: read-only for analysis roles (data-analyst, database-optimizer, llm-architect, postgres-pro, prompt-engineer) and workspace-write for implementation roles (ai-engineer, data-engineer, machine-learning-engineer, ml-engineer, mlops-engineer).
No high-risk tool categories (shell, file_delete, unrestricted file_write) declared or implied.
Authority matches stated function: analysis agents get read access; implementation agents get workspace write access for code/config changes.
Details
Evidence
data-analyst: sandbox_mode=read-only (appropriate for interpretation-only work).
data-engineer: sandbox_mode=workspace-write (appropriate for pipeline implementation).
No globs='**' or alwaysApply=true rules that would grant excessive blanket authority.
MCP Risk
Low
No MCP servers declared in the profile.
No hidden instructions in tool descriptions or arbitrary binary execution risks.
Profile is pure markdown agent definitions with no external service integrations or unrestricted network/filesystem access.
Details
Evidence
MCP servers section: (none)
No tool definitions with suspicious descriptions or unknown binary references.