Security risk report for @forgecat/voltagent_awesome-codex-subagents_developer-experience v0.0.10
Source Integrity
Low
Profile references a legitimate public GitHub repository (VoltAgent/awesome-codex-subagents) with clear attribution and MIT license.
Metadata includes verifiable commit hash and date; no obfuscation or suspicious origin indicators.
Agent Intent
Low
All 13 agent instructions are task-focused guidance for legitimate developer workflows (builds, CLI, dependencies, docs, refactoring, etc.).
No instructions to read credentials, exfiltrate data, ignore system prompts, or execute remote payloads.
No guidance poisoning: recommendations align with standard industry practices (incremental change, validation, rollback planning) and do not plant malicious knowledge or weaken security defaults.
Details
Evidence
Each agent emphasizes 'smallest practical change', 'preserve safety', and 'validate' — standard engineering discipline, not manipulation.
Focus areas (e.g., 'verify failure reproduction', 'confirm transitive dependency impact', 'check auth/session handling') are defensive and risk-aware.
No typosquatted packages, disabled TLS, credential logging, or persistent biased rules detected.
Permissions
Low
Most agents declare sandbox_mode=workspace-write or read-only, appropriate to their scope (build, CLI, docs, refactoring).
No shell, file_delete, or unrestricted file_write rules with alwaysApply=true and globs='**'.
Authority matches stated function: build-engineer works on build pipelines, dependency-manager on package graphs, etc.
Details
Evidence
Agents like git-workflow-manager and legacy-modernizer use read-only mode (no file mutation needed for planning/review).
Agents like build-engineer and refactoring-specialist use workspace-write (expected for implementation tasks).
No excessive web_fetch, subagent, or network access declared.
MCP Risk
Low
No MCP servers are declared in the profile.
No hidden instructions in tool descriptions, arbitrary binary execution, or unrestricted network/filesystem access.
Details
Evidence
MCP servers section is empty: '(none)'.
Profile is purely markdown-based agent definitions with no external tool wiring or protocol integrations.