I've been using a separate SSH config for git for a long time now. Nice to see it wasn't just paranoia.

Among the settings are explicitly disabling agent forwarding, and using a git specific identity (SSH key).

I’m not so sure git is secure against a malicious server, even if you’re not simply pulling in a Makefile written by the attacker.

Assuming you do perfect integrity checks of the git repo you're pulling, git uses SSH and obeys ssh config for each hosts under the hood. It's safe to say that if you have forward-agent enabled git is vulnerable.