Security risk report for @forgecat/anthropics_knowledge-work-plugins_data v0.0.8
Source Integrity
Low
Profile is authored by Anthropic and sourced from the official knowledge-work-plugins repository on GitHub.
All content is documented as Apache-2.0 licensed and traceable to a specific commit (d2ba7f6).
No suspicious external dependencies or undeclared package sources.
Agent Intent
Low
Content describes legitimate data analysis workflows (SQL querying, visualization, dashboard building) without instructing the agent to ignore instructions, exfiltrate data, or read credentials.
The `data-context-extractor` skill is a meta-skill for generating company-specific analysis tools; it documents discovery and documentation processes, not malicious instruction injection.
Templates and examples (e.g., `skill-template.md`, `domain-template.md`) are educational scaffolds for creating reference documentation, not poisoned guidance or hidden directives.
No guidance weakens security defaults, installs backdoored code, or steers outputs toward attacker goals; all recommendations align with standard data analysis best practices.
Details
Evidence
CONNECTORS.md: 'Plugins are tool-agnostic — they describe workflows in terms of categories' (describes, does not instruct manipulation)
data-context-extractor SKILL.md: 'Extract company-specific data knowledge from analysts and generates tailored data analysis skills' (legitimate meta-skill, no injection language)
skill-template.md: '[PLACEHOLDER]' format is a neutral template for users to fill in, not hidden instructions
No references to reading ~/.ssh, ~/.aws, .env, or exfiltrating data to external hosts
Permissions
Low
Profile declares no direct tool permissions (no shell, file_write, file_delete, etc.); it is a collection of markdown skill definitions and MCP server references.
MCP servers are external integrations (BigQuery, Snowflake, Hex, Amplitude, Atlassian) that the user explicitly connects; the profile does not demand authority beyond describing how to use them.
Skills like `analyze`, `write-query`, `build-dashboard` are descriptive workflows that guide the agent's reasoning, not executable tools with excessive agency.
Details
Evidence
No 'alwaysApply=true' rules or glob patterns matching '**'
MCP servers are listed as optional connectors in CONNECTORS.md; user chooses which to enable
Skills are invocable guidance, not autonomous agents with unrestricted permissions
MCP Risk
MCP-000Medium
Multiple external MCP servers are configured (BigQuery, Hex, Amplitude, Atlassian, Definite), each requiring network access to third-party hosts; this is expected for a data-integration plugin but represents a non-trivial external attack surface.
All configured URLs point to well-known, legitimate vendor endpoints (googleapis.com, hex.tech, amplitude.com, atlassian.com, definite.app) with no unknown or attacker-controlled hosts detected.
Snowflake and Databricks entries have empty URLs (placeholders), so they pose no immediate risk, but users should verify the URLs they fill in before use.