Is jamesrp13/soulforge safe?

The skill mandates installation of @ghostwater/soulforge from npm, a package hosted in the separate ghostwater-ai/soulforge repository that was not examined in this audit. npm packages can execute arbitrary code via preinstall, postinstall, and install lifecycle scripts at install time with the invoking user's privileges. A global install (-g) means any malicious payload runs outside any sandboxed working directory and persists in the system PATH.

Every workflow invocation requires a --callback-url destination (--no-callback must be explicitly opted into). The callback body is user-templatable and includes {{task}}, which contains the full task description string. If an agent is manipulated into omitting --no-callback or into supplying an attacker-controlled URL, run metadata including the complete task description is POST'd externally. The --callback-headers parameter additionally allows arbitrary authorization tokens to be forwarded.

The skill starts a persistent daemon process (soulforge daemon start) that continues running after the agent session ends and accepts run commands independently. This means a compromised or manipulated workflow dispatch persists beyond the user's active oversight window. The daemon can be re-triggered by any subsequent process with access to the soulforge CLI.

The feature-dev pipeline dispatches Claude Code CLI invocations that send the full working repository as context to Anthropic's API (and optionally OpenAI via Codex). While disclosed, this means any repository handled by this skill—including those containing proprietary code, secrets left in tracked files, or sensitive business logic—is transmitted externally as a side effect of normal operation.

The skill's recommended workflow convention instructs the executor (claude-code) to fetch and interpret GitHub issue bodies as authoritative specifications. An attacker with write access to a referenced issue (or via a public repo's issue tracker) could inject adversarial prompt content that alters the executor's behavior in subsequent pipeline steps, including the implement and pr stages.

The pipeline includes self-executor checkpoints (review-plan, final-review) that are designed to pause for human approval before proceeding. An agent operating this skill could call soulforge approve automatically without surfacing the checkpoint to the user, causing unsupervised code implementation and PR submission to production repositories.

All six canary credential files were opened and read at 09:36:53, approximately 5 seconds before the git clone initiated. Timing and process context analysis indicates these reads are attributable to the audit monitoring infrastructure's baseline phase rather than the skill. Canary integrity check confirms no modification and no exfiltration. Flagged for completeness.

The skill description honestly discloses all external data flows, required credentials, and network destinations. No attempts to override system instructions, suppress output, or assume alternate personas were detected. The Security & Data Flow section explicitly warns users about each category of data transmission.

The only external HTTPS connection during the install phase was to github.com (140.82.121.4:443) for the sparse git clone. No connections to unexpected C2 infrastructure, no DNS lookups for attacker-controlled domains, no data transmitted beyond the standard git protocol negotiation.