Description

Right now when creating a ssh_client config ForwardAgent yes is always set. This is not necessary and also imposes a security risk to the user since he would forward his ssh-agent to a from his perspective untrusted machine.

Suggested Solution

Just remove ForwardAgent yes from the config generation

Alternatives

No response

Additional Context

The ssh_config manpage states this about ForwardAgent:

Agent forwarding should be enabled with caution.  Users with the ability to 
bypass file permissions on the remote host (for the agent's Unix-domain 
socket) can access the local agent through the forwarded connection.  An 
attacker cannot obtain key material from the agent, however they can perform 
operations on the keys that enable them to authenticate using the identities 
loaded into the agent.