Security risk report for @forgecat/anthropics_knowledge-work-plugins_design v0.0.8
Source Integrity
Low
Profile sourced from Anthropic's official knowledge-work-plugins repository (GitHub: anthropics/knowledge-work-plugins).
Licensed under Apache-2.0; version 0.0.8 with commit hash d2ba7f6 provided for traceability.
Tested on legitimate platforms (Claude Code, Cursor, Codex); no supply-chain red flags.
Agent Intent
Low
Content describes legitimate design workflows (critique, accessibility audits, handoff specs, research synthesis) with no instructions to manipulate the AI, ignore system prompts, or exfiltrate data.
Skill descriptions use standard trigger phrases and output templates; no hidden directives or role-hijacking language.
Tool placeholders (~~design tool, ~~project tracker) are transparent connectors for user-selected services — not obfuscated injection vectors.
No language instructing the AI to 'ignore', 'bypass', 'hide', or 'leak' anything.
References to external tools (Figma, Slack, Linear) are documented in CONNECTORS.md as optional integrations, not covert exfiltration channels.
Permissions
Low
Skills are read-only and advisory: design critique, accessibility review, research synthesis, UX copy writing, and design system documentation.
No file_write, file_delete, shell, or high-risk tool categories declared or implied.
MCP servers (Figma, Slack, Linear, Notion, Intercom, Asana, Atlassian, Google Calendar, Gmail) are standard SaaS integrations; permissions are scoped to their native APIs (read design files, post to channels, create tickets, etc.) — appropriate to stated functions.
Details
Evidence
Skills request user input (Figma URLs, screenshots, transcripts) and generate structured output; no autonomous file mutation or system commands.
MCP server list matches the documented connectors in README.md and CONNECTORS.md — no undeclared or excessive authority.
MCP Risk
MCP-000Medium
All nine MCP servers point to well-known, vendor-operated official endpoints (slack.com, figma.com, linear.app, asana.com, atlassian.com, notion.com, intercom.com, claude.com) with no unknown or arbitrary binaries.
No hidden instructions are embedded in tool descriptions; the MCP configuration is a clean JSON object with only type and URL fields.
The breadth of external service access (especially Gmail) is wider than strictly necessary for a design workflow plugin, warranting caution even though individual servers are from reputable vendors.
Details
Evidence
'gmail': {'type': 'http', 'url': 'https://gmail.mcp.claude.com/mcp'} — email access not clearly justified by design workflow scope
'intercom': {'type': 'http', 'url': 'https://mcp.intercom.com/mcp'} — customer support data access; justified only for research-synthesis skill
All URLs use HTTPS and point to first-party vendor domains; no unknown binary execution