forge

Remove directives that force the agent to call specific tools or APIs not required for the skill's stated functionality. Tool calls should be determined by user intent, not embedded directives.

Likely FP if the skill legitimately needs to call other tools as part of its workflow (e.g., a deployment skill that calls git and cloud CLI tools).

Prevent the tool from accessing and transmitting database contents. If database access is needed, restrict queries to specific tables and block bulk data export.

Likely FP if the skill is a database management tool where querying and displaying data to the user is the documented core feature.

Block the ability to read and transmit contents of configuration files (.env, config.json, settings.yaml). Implement file path validation to prevent access to sensitive config files.

Likely FP if the skill reads config files to configure itself locally without transmitting the contents externally.

Restrict code execution tools to specific languages and sandbox the runtime environment. Use a container or VM-based sandbox instead of running code directly on the host.

Likely FP if the MCP tool is a dedicated code runner (e.g., Jupyter kernel) with documented sandboxing and no network access.

Validate and sanitize all data received from external APIs before using it in tool operations or agent prompts. Implement schema validation and treat API responses as untrusted input.

Likely FP if the match is a truncated table cell or documentation fragment that mentions API responses in a descriptive context, not actual unvalidated data processing.