Security risk report for @forgecat/anthropics_knowledge-work-plugins_legal v0.0.8
Source Integrity
Low
Profile sourced from Anthropic's official knowledge-work-plugins repository on GitHub.
Legitimate, well-known publisher with established security practices; no supply-chain red flags.
Agent Intent
Low
Content describes legitimate legal workflows (contract review, compliance checks, NDA triage, risk assessment) without instructing the agent to ignore instructions, exfiltrate data, or manipulate its own behavior.
Skill descriptions and templates are educational and procedural—they guide the agent to assist with legal tasks, not to compromise itself or hide its instructions.
No guidance poisoning detected; recommendations to use standard legal tools (DocuSign, Box, Slack, etc.) and well-established compliance frameworks (GDPR, CCPA, LGPD) are legitimate and widely accepted.
Details
Evidence
Skills focus on legitimate legal assistance: 'Review a contract against your organization's negotiation playbook', 'Run a compliance check on a proposed action', 'Assess and classify legal risks'.
Escalation triggers in legal-response skill explicitly instruct the agent to STOP and escalate to counsel when situations are sensitive—this is defensive, not manipulative.
Compliance-check skill provides standard regulatory overviews (GDPR, CCPA, LGPD, POPIA, etc.) as reference material, not as instructions to weaken security or bypass controls.
Permissions
Low
Skills request access to legitimate business tools (email, calendar, chat, cloud storage, CLM, CRM, e-signature) scoped to legal workflows.
No shell, file_write, file_delete, or arbitrary code execution permissions requested; all tool access is read-heavy (scanning documents, emails, calendars) or write-scoped to specific legal outputs (briefings, redlines, responses).
Authority matches stated function: a legal team assistant needs to read contracts, emails, and calendars to perform contract review, compliance checks, and meeting prep.
Details
Evidence
MCP servers declared are all legitimate, well-known business platforms: Slack, Box, Egnyte, Atlassian, Microsoft 365, DocuSign, Google Calendar, Gmail.
Skills use placeholder references (~~cloud storage, ~~calendar, ~~CLM) to remain tool-agnostic; no hardcoded or excessive access patterns.
Signature-request skill explicitly includes a pre-signature checklist and verification steps before routing documents—this is a safety control, not a permission escalation.
MCP Risk
MCP-000Medium
All eight MCP servers point to well-known, vendor-operated official endpoints (mcp.slack.com, mcp.box.com, mcp.atlassian.com, microsoft365.mcp.claude.com, mcp.docusign.com, etc.) with no unknown or arbitrary binaries.
No hidden instructions are embedded in tool descriptions; tool definitions are absent from the profile (no custom tool schemas with poisoned descriptions).
The combination of email, document storage, and e-signature access means a compromised or malicious MCP server in this set could exfiltrate sensitive legal documents or trigger unauthorized contract signatures — warranting caution despite the reputable endpoints.