Problem
Before spawning a container, Forge passes the workspace directly to the agent with no inspection of context files. If a malicious actor places an injection payload in CLAUDE.md, AGENTS.md, or similar files in a target repo, the agent will process it without any warning or block.
Proposed solution
Before ContainerRunner.run() spawns the container, walk the workspace for files matching: CLAUDE.md, AGENTS.md, .cursorrules, SKILL.md.
Run a heuristic scanner over their content looking for known injection patterns (e.g. ignore previous instructions, you are now, attempts to call unexpected tools).
- On critical findings: log a
WARNING and optionally block (configurable via FORGE_INJECTION_SCAN_MODE=warn|block)
- Log findings at worker level with ticket key for traceability
Reference
Learned from fullsend, which implements a two-pass scan (host-side before upload, sandbox-side after): internal/security/, internal/cli/run.go:scanRepoContextFiles()
Problem
Before spawning a container, Forge passes the workspace directly to the agent with no inspection of context files. If a malicious actor places an injection payload in
CLAUDE.md,AGENTS.md, or similar files in a target repo, the agent will process it without any warning or block.Proposed solution
Before
ContainerRunner.run()spawns the container, walk the workspace for files matching:CLAUDE.md,AGENTS.md,.cursorrules,SKILL.md.Run a heuristic scanner over their content looking for known injection patterns (e.g.
ignore previous instructions,you are now, attempts to call unexpected tools).WARNINGand optionally block (configurable viaFORGE_INJECTION_SCAN_MODE=warn|block)Reference
Learned from fullsend, which implements a two-pass scan (host-side before upload, sandbox-side after):
internal/security/,internal/cli/run.go:scanRepoContextFiles()