Security risk report for @forgecat/anthropics_knowledge-work-plugins_enterprise-search v0.0.8
Source Integrity
Low
Profile sourced from Anthropic's official knowledge-work-plugins repository on GitHub.
Version pinned to commit d2ba7f6 with Apache-2.0 license; legitimate open-source origin.
Agent Intent
Low
Content describes legitimate enterprise search workflows (decomposing queries, ranking results, synthesizing across sources) with no instructions to manipulate the AI, exfiltrate data, or bypass security.
Placeholder syntax (~~chat, ~~email, ~~cloud storage) is documented as a tool-agnostic design pattern for dynamic source resolution—not a hidden instruction or injection vector.
Skill instructions (search, digest, knowledge-synthesis, search-strategy, source-management) are procedural guidance for multi-source aggregation and result formatting; no prompt injection, system prompt leakage, or guidance poisoning detected.
Details
Evidence
CONNECTORS.md: 'Plugins are tool-agnostic — they describe workflows in terms of categories (chat, email, cloud storage, etc.) rather than specific products.'
search/SKILL.md: 'Synthesize results into answers, do not just list raw search results' — standard UX guidance, not malicious instruction.
knowledge-synthesis/SKILL.md: 'Always surface conflicts rather than silently picking one version' — transparency principle, not deception.
Permissions
Low
MCP servers are read-only query/search tools (Slack search, Notion semantic search, email search, task search, CRM query, wiki search) aligned with the stated enterprise search function.
No file_write, file_delete, shell, or mutation capabilities declared; no alwaysApply rules or overly broad globs.
Authority is scoped to searching and reading across connected sources, matching the profile's documented purpose.
Details
Evidence
README.md MCPs table lists only HTTP endpoints for search/read operations (Slack, Notion, Guru, Atlassian, Asana, Microsoft 365, Google Calendar, Gmail).
.mcp.json defines 8 HTTP-based MCP servers with no shell, file mutation, or unrestricted network access.
MCP Risk
MCP-000Medium
All eight MCP servers point to well-known, legitimate vendor-hosted endpoints (slack.com, notion.com, atlassian.com, asana.com, microsoft/google claude-hosted domains) with no unknown or arbitrary binaries.
No hidden instructions are embedded in tool descriptions; the MCP configuration is straightforward URL-only entries with no suspicious parameters.
The aggregate access to email, calendar, chat, and document stores represents a broad data exposure footprint — a compromise of any one server or OAuth token could expose significant corporate information across all connected services.