registry  /  forge-harness  /  0.1.0-rc16

forge-harness@0.1.0-rc16

Spec-Driven Development harness: single source of truth in .forge/, multi-agent adapters (Claude/Codex/Cursor/Gemini/…), native code graph and deterministic validators. Zero runtime deps.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack surface is established. Explicit harness initialization can install a first-party Claude plugin and project-local agent/Git integrations.

Static reason
No blocking static signals were detected.
Trigger
User runs `npx forge-harness init` with the Claude adapter active, or runs `install-plugin`.
Impact
Writes project-local `.forge`, adapter files, and optionally `~/.claude/skills/forge`; no exfiltration or remote execution was confirmed.
Mechanism
User-invoked projection of Forge commands, Claude settings, and Git hooks.
Rationale
Source inspection confirms user-invoked first-party AI-agent extension setup, including a home-directory Claude plugin write. The behavior is not a concrete malicious chain, but merits a warning under the extension lifecycle policy.
Evidence
package.jsonbin/forge.mjstemplate/.forge/scripts/lib/sync-adapters.mjstemplate/.forge/scripts/lib/plugin-build.mjstemplate/.forge/adapters/claude.yamltemplate/.forge/hooks/pre-tool-use/prevent-secrets-leak.sh<target>/.forge/<target>/.claude/settings.json<target>/AGENTS.md<target>/CLAUDE.md<target>/.gitignore<target>/.github/workflows/staging.yml~/.claude/skills/forge<target>/.git/config

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/forge.mjs` auto-installs a Claude plugin under `~/.claude/skills/forge` during `init` when Claude is active.
  • `template/.forge/scripts/lib/sync-adapters.mjs` materializes tool-specific project control files, including `.claude/settings.json`.
  • `bin/forge.mjs` explicitly sets project Git `core.hooksPath` to `.forge/hooks/git` when none exists.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle hook.
  • CLI actions require explicit `init`, `update`, or `install-plugin` invocation.
  • Inspected CLI, adapter sync, plugin builder, and hooks contain no network client, download, credential harvesting, or exfiltration path.
  • Pre-tool hooks enforce naming, worktree location, and secret-leak prevention rather than execute remote payloads.
  • Git hooks are project-local and preserve an existing custom `core.hooksPath`.
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 31.4 KB of source

Source & flagged code

3 flagged · loading source
bin/forge.mjsView file
188const lib = join(TEMPLATE_FORGE, 'scripts', 'lib', 'plugin-build.mjs'); L189: const { collectCommands, planForgePlugin, writePlugin } = await import(pathToFileURL(lib).href); L190: const dest = out || join(homedir(), '.claude', 'skills', 'forge');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/forge.mjsView on unpkg · L188
template/.forge/hooks/pre-tool-use/check-language-policy.shView file
path = template/.forge/hooks/pre-tool-use/check-language-policy.sh kind = payload_in_excluded_dir sizeBytes = 2120 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

template/.forge/hooks/pre-tool-use/check-language-policy.shView on unpkg
path = template/.forge/hooks/pre-tool-use/check-language-policy.sh kind = build_helper sizeBytes = 2120 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

template/.forge/hooks/pre-tool-use/check-language-policy.shView on unpkg

Findings

1 High3 Medium3 Low
HighPayload In Excluded Dirtemplate/.forge/hooks/pre-tool-use/check-language-policy.sh
MediumDynamic Requirebin/forge.mjs
MediumShips Build Helpertemplate/.forge/hooks/pre-tool-use/check-language-policy.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings