Security risk report for @forgecat/voltagent_awesome-codex-subagents_language-specialists v0.0.10
Source Integrity
Low
Profile is sourced from VoltAgent/awesome-codex-subagents (public GitHub repository, MIT license, commit 5b7a405 dated 2026-03-19).
Static scanner confirms safe; source is a known, publicly documented collection of language-specialist agent templates.
Agent Intent
Low
All 26 agent markdown files contain legitimate, language-specific working instructions (e.g., 'map execution boundary', 'identify root cause', 'validate changed path') aligned with their stated purpose (Angular, C++, Python, etc. specialists).
No instructions attempt to manipulate the AI into ignoring system prompts, reading credentials, exfiltrating data, installing remote payloads, or hiding its own instructions.
No guidance poisoning detected; recommendations are standard best practices (transaction safety, error handling, type safety) not attacker-serving or security-weakening.
Details
Evidence
Representative example (angular-architect.md): 'Map the exact execution boundary (entry point, state/data path, and external dependencies)' — describes legitimate code-review methodology, not malicious instruction.
All agents consistently instruct 'Do not introduce broad architecture rewrites unless explicitly requested' — reinforces scope discipline, not hidden authority expansion.
No references to external URLs for payload fetching, no instructions to weaken security defaults (e.g., disable TLS), no typosquatted package names.
Permissions
Low
Profile declares no tools or MCP servers; agents are pure instruction/guidance profiles for Cursor/Claude Code/Codex.
Sandbox modes declared (workspace-write for most, read-only for sql-pro) are appropriate to stated function: code review, debugging, and architectural guidance.
No high-risk tool categories (shell, file_delete, arbitrary network access) are requested; authority is limited to workspace navigation and code analysis.
Details
Evidence
sql-pro.md explicitly declares 'sandbox_mode: read-only' — appropriate for query review without write authority.
All other agents declare 'sandbox_mode: workspace-write' — consistent with code-editing and debugging tasks.
No 'alwaysApply=true' rules with broad globs; no excessive web_fetch or subagent delegation.
MCP Risk
Low
No MCP servers are defined in this profile; it is a pure instruction/guidance collection.
No hidden instructions in tool descriptions, no arbitrary binary execution, no unrestricted network or filesystem access.
Profile is self-contained markdown documentation with no external service dependencies.