Security audit

Insforge Cli

Security checks across malware telemetry and agentic risk

Overview

This InsForge admin helper is not clearly malicious, but it needs review because it can install tools/skills and gives an agent broad authority over databases, secrets, deployments, and persistent backend resources.

Install only if you intend to let an agent administer an InsForge project. Confirm the target project before any mutation, avoid --yes unless you explicitly want prompts skipped, review SQL/import/export/delete/deploy actions, treat secret values/API keys/database dumps as sensitive, and inspect any agent skills added under .agents/skills/insforge after project creation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The activation text is overly broad and explicitly triggers on generic infrastructure requests like creating tables, deploying apps, or setting up cron jobs even when it is unclear whether InsForge is in use. That can cause the agent to invoke a high-privilege backend-management skill in the wrong context, increasing the chance of executing destructive commands or handling secrets against an unintended project.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documents raw SQL execution, secret retrieval, destructive storage deletion, and non-interactive credential use, but lacks a dedicated safety section requiring user confirmation, least-privilege handling, and warnings before sensitive actions. In a tool designed for backend administration, omission of such guardrails materially increases the risk of credential exposure, irreversible data loss, and unsafe execution by an agent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation explicitly states that the command fetches and outputs the project's API key/appkey, but it does not warn that this value is a secret or describe safe handling practices. In a CLI/agent context, stdout is often logged to terminals, CI systems, chat transcripts, and agent memory, so exposing credentials this way can lead to unauthorized access to the project environment.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation shows commands that export full database schema and potentially all row data to a file such as `backup.sql` or `backup.json` without warning that these dumps may contain sensitive or regulated information. In an infrastructure-management skill, users are especially likely to run these commands against production systems, increasing the chance of creating unencrypted local artifacts that can be copied, committed, or exfiltrated.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This documentation promotes direct execution of raw SQL, including schema-changing statements like CREATE TABLE, ALTER TABLE, CREATE POLICY, and CREATE TRIGGER, without any caution about destructive, irreversible, or production-impacting consequences. In an agent skill context, examples often become operational guidance, so omission of safety warnings increases the likelihood that an automated or minimally supervised agent will run high-impact database changes directly.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The --unrestricted option is documented as enabling access to system tables, but it lacks any warning that this may expose sensitive metadata about schemas, roles, extensions, or internal database structure. In backend infrastructure tooling, that metadata can materially aid reconnaissance and unsafe automation, especially when surfaced to an agent or user without clear guardrails.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.