Security risk report for @forgecat/anthropics_knowledge-work-plugins_finance v0.0.8
Source Integrity
Low
Profile is sourced from Anthropic's official knowledge-work-plugins repository (https://github.com/anthropics/knowledge-work-plugins/tree/main/finance), a trusted first-party source.
Metadata indicates Apache-2.0 license and clear attribution; no supply-chain substitution, typosquatting, or attacker-controlled dependencies introduced.
MCP server URLs reference legitimate, well-known services (Google Cloud, Slack, Microsoft); no suspicious or unfamiliar hosts.
Agent Intent
Low
Content is purely educational and procedural documentation for finance and accounting workflows (journal entries, reconciliation, SOX testing, close management); no instructions to manipulate the AI, ignore system prompts, or exfiltrate data.
Disclaimers throughout (e.g., 'does not provide financial advice', 'should be reviewed by qualified professionals') reinforce that the skill is assistive, not directive; no hidden instructions to weaken security or install malicious guidance.
References to external tools (data warehouses, ERP systems, email, chat) are transparent connector placeholders; no guidance to fetch untrusted URLs, install backdoored packages, or poison future outputs with attacker-serving logic.
Details
Evidence
README.md: 'Streamline finance and accounting workflows with Claude. Covers journal entries, account reconciliation, financial statement generation...' — describes legitimate use cases.
audit-support/SKILL.md: 'This skill assists with SOX compliance workflows but does not provide audit or legal advice.' — explicit boundary-setting.
CONNECTORS.md: 'Plugins are tool-agnostic — they describe workflows in terms of categories (data warehouse, chat, project tracker, etc.) rather than specific products.' — transparent design, no hidden injection.
Permissions
Low
Profile declares no explicit tool permissions or hooks; skills are user-invocable helpers (journal-entry, reconciliation, financial-statements, variance-analysis, sox-testing, close-management, audit-support) that guide workflows but do not demand shell, file_write, file_delete, or other high-risk categories.
MCP servers are read-only or read-mostly connectors to external data sources (BigQuery, Slack, Microsoft 365, Google Calendar, Gmail); no unrestricted filesystem access, arbitrary code execution, or alwaysApply rules with broad globs.
Authority is narrowly scoped to finance/accounting domain; no vague self-expanding rules or excessive medium-risk categories (web_fetch, subagent) beyond the stated function.
Details
Evidence
No 'permissions' or 'tools' section in profile.yml declaring high-risk categories.
MCP servers are HTTP endpoints to known SaaS platforms; no local binary execution or unrestricted network access.
Skills are descriptive templates (e.g., 'Generate financial statements', 'Prepare journal entries') with no authority to modify systems or bypass controls.
MCP Risk
MCP-000Medium
All MCP server URLs point to known, legitimate service endpoints (Google, Slack, Microsoft) with no unknown or arbitrary binaries; no hidden instructions were found in tool descriptions.
Snowflake and Databricks entries have empty URLs, meaning they are placeholder stubs that pose no immediate network risk but could be populated later without review.
The combination of seven external MCP servers (data warehouse, email, calendar, chat, office suite) represents a broad external network footprint that warrants monitoring, though each individual server is from a reputable provider.