Forge Autonomous Agent

Security checks across malware telemetry and agentic risk

Overview

FORGE is openly an autonomous developer, but it asks for broad credentials and persistent control that can keep acting and changing itself after setup.

Install only in a disposable or tightly sandboxed environment after reviewing the external engine installer. Use test accounts, fine-grained least-privilege tokens, avoid delete_repo, do not paste long-lived secrets into chat, disable autostart and self-mutation until audited, and require manual review before repository changes, public publishing, or external status reporting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (24)

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The README states the system can automatically create third-party accounts for services like Google, GitHub, ClawHub, and Telegram, which is outside the narrowly expected scope of an AI developer/build tool. Combining autonomous account creation with local engine access, browser tooling, and publishing capability expands the trust boundary significantly and could enable unauthorized identity creation, terms-of-service violations, or abuse of linked external services.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Advertising self-extension means the system can modify or augment its own capabilities, which is a dangerous privilege escalation pattern for an autonomous agent already connected to shell, file, git, and browser tools. In this context, self-modification can bypass original safety assumptions, introduce unreviewed code paths, and make later behavior harder for users to predict or audit.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The setup text says wizard state is written to `state.json`, but the initialization shown actually creates `~/.forge/ledger/state.json`, creating ambiguity about where state and possibly sensitive metadata live. This inconsistency can cause the agent or operator to read/write the wrong file, weakening auditability and increasing the chance of accidental disclosure or broken safety controls.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The rules say credentials go exclusively to `~/.forge/.env`, but the flow later writes account identifiers and operational settings into `~/.forge/config.json`. Even if not all values are secrets, this contradiction encourages unsafe handling of identity-linked data and can lead future maintainers to place additional credentials in less protected files.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README describes automatic account creation and broad operational capabilities, but does not clearly explain the privacy, data-sharing, and identity implications of interacting with multiple third-party services. Because the skill also coordinates an engine on the user's Ubuntu machine, the missing disclosure makes the overall behavior more dangerous: users may not understand what credentials, personal data, or browsing activity are exposed.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The installation instructions pipe a remote script directly into bash without an explicit warning about the security implications. This is dangerous because users execute unaudited internet-fetched code immediately on their machine, and the repository owner is user-controlled via an environment variable, increasing the risk of arbitrary code execution from an unexpected source.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The workflow explicitly asks users to provide highly sensitive tokens and stores them locally, but it does not clearly warn the user about plaintext local storage, shell sourcing, or host compromise risks. Users may unknowingly expose API keys, bot tokens, and account credentials to other local users, logs, backups, or later prompts.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill directs creation of a Google account, then stores a generated account password in `~/.forge/.env` without a meaningful warning or secure storage mechanism. Persisting an account password in plaintext is especially dangerous because compromise enables broad account takeover beyond the immediate tool integration.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The GitHub flow requests a classic token with broad scopes including `delete_repo`, but does not explain the destructive power of that permission. If the token is exposed through chat, local files, logs, or prompt leakage, an attacker could delete repositories, modify code, or abuse workflows.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The Telegram setup performs an immediate live API call using the provided bot token and chat ID, but the user is not clearly warned that external network transmission will happen right away. This is lower severity than password storage, but it still transmits supplied credentials to a third-party service and may surprise users in sensitive environments.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The startup sequence explicitly sources ~/.forge/.env before launching the engine, which enables access to secrets and tokens without any disclosure in this skill about what data may be loaded or later used. In the context of an autonomous agent with shell, API, logging, and outbound messaging capabilities, implicit secret loading materially increases the risk of credential exposure or unintended downstream use.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The prompt says every action is reported to Telegram and OpenClaw simultaneously and that the agent 'never goes dark,' creating a default exfiltration path for task content, system state, outputs, and potentially secrets. Because this reporting is broad, automatic, and not scoped to safe metadata, it creates a significant risk of leaking sensitive user or system information to external channels.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The MCP registry exposes write, move, delete, and shell capabilities with no user-facing disclosure here about the breadth of filesystem and command execution authority. In an autonomous build loop, these powers can cause destructive local changes, execute unsafe commands, or modify repositories and host state beyond the user's expectations.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The manifest describes an autonomous agent that continuously researches, builds, ships software, mutates its own code, extends its own capabilities, and 'does not stop,' but it does not define meaningful operational boundaries, approval gates, or task limits. In combination with autostart and powerful tools, this creates a high-risk agent profile where unsafe actions, scope creep, and unintended persistence can occur without clear user control.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill enables sensitive capabilities including shell access, file read/write, browser automation, git operations, Telegram messaging, and web search, while also supporting external reporting pathways. Even if a risk prompt exists elsewhere, this file grants broad action and exfiltration primitives without inline constraints, consent requirements, or data-handling limits, making misuse or prompt-induced abuse materially dangerous.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The runtime explicitly declares an infinite loop, persistent state, restart resume behavior, self-mutation, parallel forks, and external reporting. That combination materially increases danger because the agent can continue operating, changing itself, and propagating actions across sessions with limited user awareness, turning mistakes or malicious prompt influence into durable and escalating behavior.

Ssd 3

High

Confidence: 98% confidence
Finding: The setup is designed to collect sensitive secrets directly through conversation and persist them for later use. In a conversational agent context, this is dangerous because chat transcripts, model context, debugging logs, and downstream tools may all expose the secrets beyond the intended storage location.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill instructs users to paste API keys into chat and then appends them directly into a plaintext environment file. This creates multiple exposure points: the chat itself, the shell history if echoed unsafely, local files, backups, and any later process that reads or leaks `.env` contents.

Ssd 3

High

Confidence: 99% confidence
Finding: The account-creation flow asks for a phone number to complete verification and stores a generated account password for reuse. Combining personal data and account credentials in an automated setup materially increases privacy risk and creates a durable account-takeover target on the local machine.

Ssd 3

High

Confidence: 99% confidence
Finding: The GitHub setup asks for a high-privilege token to be pasted into chat, authenticates with it, and stores it for ongoing automation. In this context, the token can grant code modification, workflow execution, repository destruction, and organizational access, making it a high-value secret with serious blast radius.

Ssd 3

High

Confidence: 97% confidence
Finding: The Telegram flow asks the user to disclose the bot token and chat ID in conversation and then stores them for persistent command-and-control use. A leaked bot token enables unauthorized messaging and bot control, and in this setup it becomes a remote management channel for the autonomous agent.

Ssd 3

Medium

Confidence: 97% confidence
Finding: Mandating broad natural-language reporting of all significant actions and state to Telegram/OpenClaw creates a direct data leakage channel, especially because agent reasoning, issue contents, file names, errors, and environment-derived details may be summarized into chat messages. Natural-language reports are hard to reliably sanitize and can easily include sensitive operational details.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The command set includes chat-facing access to status snapshots, logs, keyring health, and other internal operational data, which increases the chance that sensitive state is exposed through plain-language interfaces. Even if raw secrets are not directly printed, operational metadata about keys, logs, project state, and activity can aid attackers or leak confidential information.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The maintenance workflow directs the agent to mirror issue replies to Telegram and OpenClaw, which can disclose repository issues, internal debugging details, customer reports, or security-relevant discussion outside the original context. Mirroring human-style responses amplifies the chance of leaking sensitive content because the messages are free-form and not constrained to minimal metadata.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal