Security risk report for @forgecat/anthropics_claude-plugins-official_commit-commands v0.0.2
Source Integrity
Low
Profile is sourced from Anthropic's official claude-plugins-official repository (https://github.com/anthropics/claude-plugins-official), a trusted first-party source.
Metadata includes original commit hash (cf62a6c), Apache-2.0 license, and clear attribution, supporting supply-chain integrity.
Agent Intent
Low
Content describes and documents legitimate git workflow automation (commit, push, PR creation, branch cleanup) without attempting to manipulate the AI into reading credentials, exfiltrating data, or executing hidden payloads.
No instructions to ignore system prompts, reveal hidden instructions, or install remote code; all commands are standard git/GitHub CLI operations.
Bash commands are explicit and scoped to git operations; no obfuscated or paraphrased malicious guidance.
Details
Evidence
Commands are straightforward: `git branch -v`, `git worktree list`, `git branch -D`, `gh pr create` — all documented git/GitHub operations.
README explicitly states 'Avoids committing files with secrets (.env, credentials.json)' — demonstrates security awareness, not poisoning.
No guidance to weaken security defaults, use typosquatted packages, or install attacker-controlled dependencies.
Permissions
PRM-000Medium
The clean_gone command executes a multi-step bash pipeline with no declared allowed-tools restriction, meaning it runs arbitrary shell logic (including worktree removal and forced branch deletion) without an explicit tool allowlist.
The commit-push-pr and commit commands use scoped Bash allowlists, which is appropriate and well-constrained for their stated purpose.
Force-deleting branches and worktrees (git worktree remove --force, git branch -D) is a destructive operation; while contextually appropriate, the lack of an allowed-tools guard on clean_gone.md slightly elevates the risk profile.
Details
Evidence
commands/clean_gone.md has no 'allowed-tools' frontmatter, unlike the other two commands
"git worktree remove --force \"$worktree\""
"git branch -D \"$branch\""
MCP Risk
Low
No MCP servers are declared in the profile; all operations are performed via direct bash commands.
No hidden instructions in tool descriptions; command documentation is transparent and matches the stated purpose.
Details
Evidence
Profile metadata shows '(none)' for MCP servers.
All tool invocations are explicit bash commands with clear intent.