Security risk report for @forgecat/anthropics_knowledge-work-plugins_human-resources v0.0.8
Source Integrity
Low
Profile is sourced from Anthropic's official knowledge-work-plugins repository on GitHub.
Declared as Apache-2.0 licensed, with transparent attribution and original commit hash (d2ba7f6).
Agent Intent
Low
Content describes legitimate HR workflows (recruiting, onboarding, performance reviews, compensation analysis) with no instructions to manipulate the AI, read credentials, or exfiltrate data.
No prompt injection, role hijacking, system prompt leakage, or guidance poisoning detected; all skill descriptions are functional and transparent about tool dependencies.
Placeholder syntax (~~HRIS, ~~ATS, ~~calendar) is clearly documented as tool-agnostic connectors, not hidden instructions.
Details
Evidence
CONNECTORS.md explicitly explains placeholder semantics: 'Plugin files use ~~category as a placeholder for whatever tool the user connects in that category.'
All skills describe legitimate HR operations (e.g., 'Draft an offer letter with comp details and terms', 'Generate an onboarding checklist') with no malicious directives.
Tips and guardrails in policy-lookup explicitly warn against guessing and recommend consulting HR/legal for edge cases — reinforces safety-conscious design.
Permissions
Low
MCP servers are scoped to legitimate business tools (Slack, Google Calendar, Gmail, Notion, Atlassian, Microsoft 365) aligned with stated HR functions.
No shell, file_write, file_delete, or arbitrary code execution permissions requested; all access is read/query-oriented (calendar lookup, knowledge base search, HRIS data pull).
Authority matches stated purpose: recruiting pipeline, onboarding, performance reviews, and policy lookup require read access to HR systems and communication tools, not elevated system privileges.
Details
Evidence
MCP servers defined: Slack (messaging), Google Calendar (scheduling), Gmail (email), Notion/Atlassian (knowledge base), Microsoft 365 (email/calendar) — all standard business connectors.
Skills document expected inputs (role, level, location, employee data) and outputs (templates, reports, checklists) with no mention of system-level or destructive operations.
HRIS and ATS connectors are optional and used only for data retrieval ('Pull current employee comp data', 'Pull candidate details from the application'), not mutation or deletion.
MCP Risk
MCP-000Medium
All six MCP servers point to well-known, vendor-operated official endpoints (slack.com, claude.com subdomains, notion.com, atlassian.com, microsoft365) — no unknown binaries or arbitrary third-party hosts.
No hidden instructions are embedded in tool descriptions; the MCP JSON is clean with only type and URL fields.
The breadth of six simultaneous external service connections (email, chat, calendar, two knowledge bases, productivity suite) represents a meaningful attack surface if any one service were compromised, warranting caution.
Details
Evidence
mcpServers config: all URLs are first-party vendor domains (mcp.slack.com, gcal.mcp.claude.com, gmail.mcp.claude.com, mcp.notion.com, mcp.atlassian.com, microsoft365.mcp.claude.com).
No tool description fields present in the MCP JSON — no vector for hidden instruction injection via tool metadata.
Six concurrent external HTTP MCP connections declared, each requiring its own auth scope and network access.