# Pitfall Log

Project: KeyValueSoftwareSystems/agent-opfor

Summary: Found 33 structured pitfall item(s), including 2 high/blocking item(s). Top priority: Security or permission risk - Security or permission risk requires verification.

## 1. Security or permission risk - Security or permission risk requires verification

- Severity: high
- Evidence strength: source_linked
- Finding: Developers should check this security_permissions risk before relying on the project: feat: opfor setup wizard has no prompt for custom HTTP headers on url-transport MCP targets
- User impact: Developers may expose sensitive permissions or credentials: feat: opfor setup wizard has no prompt for custom HTTP headers on url-transport MCP targets
- Evidence: failure_mode_cluster:github_issue | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/166

## 2. Security or permission risk - Security or permission risk requires verification

- Severity: high
- Evidence strength: source_linked
- Finding: Developers should check this security_permissions risk before relying on the project: feat: support for evaluating Site-Specific Extension Execution
- User impact: Developers may expose sensitive permissions or credentials: feat: support for evaluating Site-Specific Extension Execution
- Evidence: failure_mode_cluster:github_issue | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/179

## 3. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this installation risk before relying on the project: v0.10.0
- User impact: Upgrade or migration may change expected behavior: v0.10.0
- Evidence: failure_mode_cluster:github_release | https://github.com/KeyValueSoftwareSystems/agent-opfor/releases/tag/v0.10.0

## 4. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/171

## 5. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a configuration risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: capability.host_targets | https://github.com/KeyValueSoftwareSystems/agent-opfor

## 6. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: bug: Nested .opfor configs
- User impact: Developers may misconfigure credentials, environment, or host setup: bug: Nested .opfor configs
- Evidence: failure_mode_cluster:github_issue | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/183

## 7. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: bug: Significant delay in registering pause button clicks.
- User impact: Developers may misconfigure credentials, environment, or host setup: bug: Significant delay in registering pause button clicks.
- Evidence: failure_mode_cluster:github_issue | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/182

## 8. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: bug: browser extension targets login form instead of chatbot input during red-team assessment
- User impact: Developers may misconfigure credentials, environment, or host setup: bug: browser extension targets login form instead of chatbot input during red-team assessment
- Evidence: failure_mode_cluster:github_issue | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/178

## 9. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: bug:browser extension generates next attack before the agent has completed its response
- User impact: Developers may misconfigure credentials, environment, or host setup: bug:browser extension generates next attack before the agent has completed its response
- Evidence: failure_mode_cluster:github_issue | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/180

## 10. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: feat: add first-class support for additional LLM providers
- User impact: Developers may misconfigure credentials, environment, or host setup: feat: add first-class support for additional LLM providers
- Evidence: failure_mode_cluster:github_issue | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/181

## 11. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a configuration risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/183

## 12. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a configuration risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/182

## 13. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a configuration risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/178

## 14. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a configuration risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/180

## 15. Capability evidence risk - Capability evidence risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: README/documentation is current enough for a first validation pass.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: capability.assumptions | https://github.com/KeyValueSoftwareSystems/agent-opfor

## 16. Runtime risk - Runtime risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a runtime risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/177

## 17. Runtime risk - Runtime risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a runtime risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/176

## 18. Maintenance risk - Maintenance risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a maintenance risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: evidence.maintainer_signals | https://github.com/KeyValueSoftwareSystems/agent-opfor

## 19. Security or permission risk - Security or permission risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: no_demo
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: downstream_validation.risk_items | https://github.com/KeyValueSoftwareSystems/agent-opfor

## 20. Security or permission risk - Security or permission risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: no_demo
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: risks.scoring_risks | https://github.com/KeyValueSoftwareSystems/agent-opfor

## 21. Security or permission risk - Security or permission risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/181

## 22. Security or permission risk - Security or permission risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/166

## 23. Security or permission risk - Security or permission risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/179

## 24. Capability evidence risk - Capability evidence risk requires verification

- Severity: low
- Evidence strength: source_linked
- Finding: Developers should check this capability risk before relying on the project: bug: Significant delay in registering pause button clicks.
- User impact: Developers may hit a documented source-backed failure mode: bug: Significant delay in registering pause button clicks.
- Evidence: failure_mode_cluster:github_issue | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/177

## 25. Capability evidence risk - Capability evidence risk requires verification

- Severity: low
- Evidence strength: source_linked
- Finding: Developers should check this capability risk before relying on the project: feat: Ability to judge and create reports from the conversations between the user and the agent
- User impact: Developers may hit a documented source-backed failure mode: feat: Ability to judge and create reports from the conversations between the user and the agent
- Evidence: failure_mode_cluster:github_issue | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/171

## 26. Capability evidence risk - Capability evidence risk requires verification

- Severity: low
- Evidence strength: source_linked
- Finding: Developers should check this capability risk before relying on the project: feat: OPFOR getting the ability to upload files to agent
- User impact: Developers may hit a documented source-backed failure mode: feat: OPFOR getting the ability to upload files to agent
- Evidence: failure_mode_cluster:github_issue | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/173

## 27. Capability evidence risk - Capability evidence risk requires verification

- Severity: low
- Evidence strength: source_linked
- Finding: Developers should check this capability risk before relying on the project: feat: Show the response of agent errors instead of just an HTTP status code.
- User impact: Developers may hit a documented source-backed failure mode: feat: Show the response of agent errors instead of just an HTTP status code.
- Evidence: failure_mode_cluster:github_issue | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/176

## 28. Capability evidence risk - Capability evidence risk requires verification

- Severity: low
- Evidence strength: source_linked
- Finding: Developers should check this capability risk before relying on the project: feat: evaluator for remote code execution
- User impact: Developers may hit a documented source-backed failure mode: feat: evaluator for remote code execution
- Evidence: failure_mode_cluster:github_issue | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/172

## 29. Capability evidence risk - Capability evidence risk requires verification

- Severity: low
- Evidence strength: source_linked
- Finding: Developers should check this capability risk before relying on the project: feat: judging file outputs of the agent.
- User impact: Developers may hit a documented source-backed failure mode: feat: judging file outputs of the agent.
- Evidence: failure_mode_cluster:github_issue | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/174

## 30. Capability evidence risk - Capability evidence risk requires verification

- Severity: low
- Evidence strength: source_linked
- Finding: Developers should check this conceptual risk before relying on the project: feat: Allow the user the steer the attacker agent during testing
- User impact: Developers may hit a documented source-backed failure mode: feat: Allow the user the steer the attacker agent during testing
- Evidence: failure_mode_cluster:github_issue | https://github.com/KeyValueSoftwareSystems/agent-opfor/issues/175

## 31. Runtime risk - Runtime risk requires verification

- Severity: low
- Evidence strength: source_linked
- Finding: Developers should check this performance risk before relying on the project: v0.9.0
- User impact: Upgrade or migration may change expected behavior: v0.9.0
- Evidence: failure_mode_cluster:github_release | https://github.com/KeyValueSoftwareSystems/agent-opfor/releases/tag/v0.9.0

## 32. Maintenance risk - Maintenance risk requires verification

- Severity: low
- Evidence strength: source_linked
- Finding: issue_or_pr_quality=unknown。
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: evidence.maintainer_signals | https://github.com/KeyValueSoftwareSystems/agent-opfor

## 33. Maintenance risk - Maintenance risk requires verification

- Severity: low
- Evidence strength: source_linked
- Finding: release_recency=unknown。
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: evidence.maintainer_signals | https://github.com/KeyValueSoftwareSystems/agent-opfor
