Security risk report for @forgecat/voltagent_awesome-codex-subagents_research-analysis v0.0.10
Source Integrity
Low
Profile references a legitimate open-source repository (VoltAgent/awesome-codex-subagents) with MIT license and verifiable commit hash.
Installation method uses standard ForgeCat package manager; no suspicious or obfuscated source paths.
Agent Intent
Low
All seven agent instructions focus on legitimate research and analysis workflows (competitive analysis, data synthesis, documentation verification, market research, trend analysis, search, structured investigation).
No directives to read credentials, exfiltrate data, ignore instructions, reveal system prompts, or install malicious payloads.
Guidance emphasizes source verification, evidence traceability, confidence articulation, and quality checks—standard best practices for analytical work, not poisoning.
Details
Evidence
competitive-analyst: 'verify each comparison point is source-backed or clearly labeled inference'
data-researcher: 'verify key claims trace to concrete source evidence'
docs-researcher: 'verify answer statements map to concrete documentation references'
research-analyst: 'verify each major claim has traceable supporting evidence'
Permissions
Low
All agents declare sandbox_mode: read-only, restricting to information gathering and analysis only.
No file_write, file_delete, shell, or other high-risk tool categories declared.
No MCP servers or external tool integrations defined; agents operate within model reasoning scope.
Details
Evidence
All agent YAML headers include 'sandbox_mode: read-only'
No tools or MCP server definitions in profile
MCP Risk
Low
No MCP servers declared in the profile.
No external binary execution, unrestricted network access, or filesystem mutation defined.