Security risk report for @forgecat/voltagent_awesome-codex-subagents_quality-security v0.0.10
Source Integrity
Low
Profile references a legitimate public GitHub repository (VoltAgent/awesome-codex-subagents) with MIT license and clear attribution.
No obfuscated, typosquatted, or attacker-controlled dependencies declared; no hidden binary execution or supply-chain injection vectors.
Agent Intent
Low
All 16 agent instructions are legitimate quality/security review personas (accessibility, AD security, architecture, debugging, penetration testing, etc.) with no prompt-injection, role-hijacking, or credential-exfiltration directives.
No instructions to read sensitive files (~/.ssh, ~/.aws, .env), exfiltrate data, hide instructions, install remote payloads, or leak system prompts.
Guidance is constructive and security-conscious: agents are instructed to prioritize evidence-driven findings, avoid over-claiming certainty, and call out validation gaps—this is defensive, not poisoning.
Details
Evidence
All agent markdown files follow identical safe template: 'Own [task] work as evidence-driven quality and risk reduction, not checklist theater.'
Penetration-tester agent explicitly states: 'Do not provide offensive instructions for unauthorized targets or claim exploit success without evidence.'
Security-auditor agent: 'Do not claim full security assurance from static review alone unless explicitly requested.'
Permissions
Low
Two agents declare workspace-write (browser-debugger, test-automator) for legitimate UI debugging and test-file creation; both are scoped to their stated purpose.
No shell, file_delete, file_mutate, or unrestricted file_write permissions; no alwaysApply=true rules with broad globs.
Details
Evidence
browser-debugger: 'sandbox_mode: workspace-write' for browser MCP server evidence gathering.
test-automator: 'sandbox_mode: workspace-write' for test implementation.
All others: 'sandbox_mode: read-only' for review/analysis tasks.
MCP Risk
Low
No MCP servers declared in profile; no hidden tool definitions or arbitrary binary execution.
Browser-debugger references a 'browser MCP server' in description but does not define or configure one—implementation is deferred to parent agent/platform.
Details
Evidence
Profile declares '(none)' under MCP servers section.
No tool definitions, environment credentials, or external host access configured.