Security risk report for @forgecat/anthropics_claude-plugins-official_feature-dev v0.0.3
Source Integrity
Low
Profile sourced from official Anthropic repository (https://github.com/anthropics/claude-plugins-official), a trusted first-party source.
Metadata clearly attributes origin to Anthropic with commit hash and Apache-2.0 license, enabling verification.
Agent Intent
Low
Content describes a legitimate feature development workflow with three specialized agents (code-explorer, code-architect, code-reviewer) for codebase analysis, architecture design, and code review—standard software engineering practices.
No instructions to ignore system prompts, exfiltrate credentials, read sensitive files, or hide instructions; no prompt injection, role hijacking, or system prompt leakage attempts.
Agent descriptions and command workflows document legitimate tool use (Glob, Grep, Read, WebFetch, TodoWrite) for code analysis and documentation—no guidance poisoning or malicious knowledge injection.
Details
Evidence
code-architect.md: 'Designs feature architectures by analyzing existing codebase patterns and conventions, then providing comprehensive implementation blueprints'
code-explorer.md: 'Deeply analyzes existing codebase features by tracing execution paths, mapping architecture layers'
code-reviewer.md: 'Reviews code for bugs, logic errors, security vulnerabilities, code quality issues, and adherence to project conventions'
feature-dev.md Phase 1–7: Structured workflow for discovery, exploration, clarification, design, implementation, review, and summary—no malicious instructions
Permissions
PRM-000Medium
All three agents (code-architect, code-explorer, code-reviewer) declare the `KillShell` and `BashOutput` tools, which are shell-adjacent capabilities that go beyond the read-only codebase analysis described in their purposes.
The `WebFetch` and `WebSearch` tools are also included across all agents; while potentially useful for documentation lookups, they introduce external network access that is broader than pure local code analysis.
The core read-only tools (Glob, Grep, LS, Read, NotebookRead) are well-matched to the stated purposes, but the addition of `KillShell`, `BashOutput`, and `TodoWrite` across every agent represents moderately excessive authority for agents described as explorers and reviewers.
No MCP servers defined in profile; all tool access is declared inline within agent markdown files.
Tool declarations are standard Cursor/Claude Code plugin categories with no hidden binary execution, arbitrary network access, or obfuscated instructions.