Security risk report for @forgecat/anthropics_knowledge-work-plugins_customer-support v0.0.8
Source Integrity
Low
Profile is sourced from Anthropic's official knowledge-work-plugins repository (GitHub: anthropics/knowledge-work-plugins).
Author is declared as Anthropic; original commit hash provided (d2ba7f6).
Licensed under Apache-2.0; supply chain is transparent and from a trusted vendor.
Agent Intent
Low
Content describes legitimate customer support workflows (triage, research, response drafting, escalation, KB authoring) with no instructions to manipulate the AI or hide its instructions.
Markdown uses tool placeholders (~~support platform, ~~CRM, etc.) to document connector categories — this is transparent documentation of integrations, not hidden guidance poisoning.
No instructions to read credentials, exfiltrate data, ignore system prompts, install remote payloads, or weaken security defaults.
Guidance on research, drafting, and escalation follows standard support best practices (e.g., 'be honest', 'own it', 'verify facts') — no deceptive or attacker-serving instruction.
Details
Evidence
CONNECTORS.md: 'Plugins are tool-agnostic — they describe workflows in terms of categories (support platform, CRM, chat, etc.) rather than specific products.'
draft-response/SKILL.md: 'Be honest: Never overpromise, never mislead, never hide bad news in jargon.'
customer-research/SKILL.md: 'Confidence by Source Tier' table emphasizes verification and source prioritization — no instruction to bypass verification or trust unverified sources.
Permissions
Low
Skills are read-only research and drafting tools (customer-research, draft-response, kb-article, customer-escalation, ticket-triage) — no file write, delete, or shell execution.
MCP servers are external integrations (Slack, Intercom, HubSpot, Guru, Atlassian, Notion, Microsoft 365, Google Calendar, Gmail) — authority is scoped to those platforms' native APIs, not arbitrary filesystem or shell access.
Placeholder references (~~support platform, ~~CRM, ~~chat) are documented connectors, not hidden escalation of privilege.
Details
Evidence
README.md Skills table: all five skills are read-only (triage, research, drafting, escalation packaging, KB authoring).
MCP servers list: all are known SaaS platforms with standard OAuth/API authentication — no shell, file_write, or file_delete categories.
MCP Risk
MCP-000Medium
All nine MCP servers point to well-known, vendor-operated official endpoints (slack.com, intercom.com, hubspot.com, atlassian.com, notion.com, microsoft/google claude-hosted), reducing supply-chain risk.
No hidden instructions were found in tool descriptions; no arbitrary binary execution or unrestricted filesystem access is configured.
The sheer number of external host connections (nine services) and the inclusion of full-mailbox services (Gmail, M365) warrants caution — a compromised or misconfigured server in this chain could expose broad organizational data.