Oathe Security Badge

Is isaac-levine/forage safe?

https://github.com/isaac-levine/forage

97
SAFE

Forage is a legitimate MCP server discovery and installation tool that implements appropriate safety measures including required user confirmation for installations. The tool shows no signs of malicious behavior and all security monitoring indicates normal, expected functionality.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (2)

MEDIUM Tool enables installation and execution of arbitrary npm packages -15

Forage allows users to search for and install arbitrary MCP servers from npm, which involves downloading and executing code. While this is the intended functionality and requires explicit user confirmation, it inherently carries risk if malicious packages exist in the registry.

LOW Potential for social engineering attacks -10

While the tool itself is well-designed with safety measures, it could theoretically be used in social engineering attacks to trick users into installing malicious MCP servers. The required explicit confirmation mitigates this risk significantly.