Security risk report for @forgecat/voltagent_awesome-codex-subagents_specialized-domains v0.0.10
Source Integrity
Low
Profile references legitimate public repository (VoltAgent/awesome-codex-subagents) with clear attribution and MIT license.
Commit hash and version tracking provide supply-chain transparency; no obfuscated or unsigned dependencies.
Agent Intent
Low
All 12 agent instructions focus on domain-specific engineering best practices (API docs, blockchain, fintech, IoT, etc.) with explicit guardrails against scope creep and unsafe shortcuts.
No instructions to read credentials, exfiltrate data, ignore system prompts, or install remote payloads; no prompt-injection or guidance-poisoning patterns detected.
Agents explicitly instruct NOT to weaken controls (e.g., 'Do not weaken financial controls', 'Do not relax payment safety controls', 'Do not propose unsafe fleet-wide changes') — reinforces safety boundaries rather than subverting them.
Details
Evidence
fintech-engineer: 'Do not weaken financial controls or bypass reconciliation safeguards unless explicitly requested'
payment-integration: 'Do not relax payment safety controls or skip reconciliation safeguards unless explicitly requested'
iot-engineer: 'Do not recommend unsafe fleet-wide changes without staged rollout controls unless explicitly requested'
Permissions
Low
Most agents use read-only sandbox mode (m365-admin, quant-analyst, risk-manager, seo-specialist) appropriate for analysis and review tasks.
Agents with workspace-write (api-documenter, blockchain-developer, embedded-systems, fintech-engineer, game-developer, iot-engineer, mobile-app-developer, payment-integration) are scoped to their stated domain work; no shell, file_delete, or unrestricted file_write declared.
No tools or hooks declared; no alwaysApply rules with broad globs; authority matches stated function.
Details
Evidence
m365-admin sandbox_mode: read-only
quant-analyst sandbox_mode: read-only
api-documenter sandbox_mode: workspace-write (appropriate for documentation engineering)
MCP Risk
Low
No MCP servers declared in profile; no hidden tool descriptions or arbitrary binary execution risk.
Profile is pure markdown agent definitions with no external server integration or unrestricted network/filesystem access.