Security risk report for @forgecat/anthropics_knowledge-work-plugins_engineering v0.0.8
Source Integrity
Low
Profile sourced from Anthropic's official knowledge-work-plugins repository on GitHub.
Declared as Apache-2.0 licensed with clear attribution and original commit hash (d2ba7f6).
Agent Intent
Low
Content describes legitimate engineering workflows (code review, incident response, system design, debugging) without injecting malicious instructions.
No directives to ignore system instructions, exfiltrate data, read credentials, or hide behavior.
Skill descriptions document workflows and output formats; they guide the agent toward helpful behavior, not manipulation.
Details
Evidence
All skills are framed as structured workflows with clear input/output formats (e.g., 'Review code changes for security, performance, and correctness').
Connector placeholders (~~source control, ~~monitoring) are transparent tool-agnostic references, not hidden instructions.
No language attempting to override system prompts, leak internal state, or weaken security defaults.
Permissions
Low
Skills request only read-level access to external tools (pull PR diffs, fetch logs, retrieve ticket status).
No file_write, file_delete, shell, or high-risk operations declared in skill definitions.
MCP servers are configured for legitimate integrations (Slack, GitHub, PagerDuty, Datadog) aligned with stated engineering workflow purposes.
Details
Evidence
Skills like /code-review and /debug ask for PR URLs or error messages as input, not write permissions.
Incident-response skill creates status updates and postmortems but does not request authority to modify production systems.
All MCP servers are HTTP-based integrations with well-known SaaS platforms, not arbitrary binaries or unrestricted filesystem access.
MCP Risk
MCP-000Medium
All 10 MCP servers point to well-known, official vendor endpoints (slack.com, linear.app, github.com, etc.) with no unknown binaries or arbitrary execution.
Gmail and Google Calendar MCP servers grant access to personal communications and scheduling data, which is broader than typical engineering tooling and warrants user awareness.
No hidden instructions are embedded in tool descriptions; server definitions are clean URL-only configurations with no suspicious parameters.
Details
Evidence
'gmail': {'type': 'http', 'url': 'https://gmail.mcp.claude.com/mcp'} — email access not directly required for code review or incident response
'google-calendar': {'type': 'http', 'url': 'https://gcal.mcp.claude.com/mcp'} — calendar access tangentially related (standup scheduling) but adds personal data exposure
All other servers (GitHub, Slack, PagerDuty, Datadog, Linear, Asana, Atlassian, Notion) are directly relevant to the stated engineering workflow purpose