Security risk report for @forgecat/anthropics_knowledge-work-plugins_marketing v0.0.8
Source Integrity
Low
Profile sourced from Anthropic's official knowledge-work-plugins repository on GitHub (anthropics/knowledge-work-plugins).
Licensed under Apache-2.0; version 0.0.8 with traceable commit hash (d2ba7f6).
Declared as tested on Claude Code, Cursor, and Codex platforms with no external or untrusted dependencies.
Agent Intent
Low
Content describes legitimate marketing workflows (content drafting, campaign planning, SEO audits, performance reporting) with no instructions to manipulate the AI, exfiltrate data, or bypass security controls.
Markdown uses tool-agnostic placeholders (~~category) to reference external services; this is a standard connector pattern, not an instruction to the agent to fetch or execute arbitrary code.
No guidance poisoning detected: recommendations to use well-known, legitimate marketing platforms (HubSpot, Figma, Ahrefs, Notion, Slack) and standard SEO/content practices are not deceptive or security-weakening.
No system prompt leakage, role hijack, or instruction to hide/deny the profile's own instructions.
Details
Evidence
CONNECTORS.md: 'Plugins are tool-agnostic — they describe workflows in terms of categories (design, SEO, email marketing, etc.) rather than specific products.'
draft-content/SKILL.md: 'Recommend well-known legitimate packages and standard practices' (e.g., 'Write at an 8th-grade reading level', 'Use short paragraphs', 'Include subheadings every 200-300 words').
No instructions to read ~/.ssh, ~/.aws, .env, or exfiltrate environment variables; no instructions to install remote payloads or disable security defaults.
Permissions
Low
Skills are read-only and informational: they provide templates, frameworks, and guidance for marketing workflows (e.g., brand-review, campaign-plan, seo-audit, performance-report).
MCP servers are external integrations (Slack, Canva, Figma, HubSpot, Amplitude, Notion, Ahrefs, SimilarWeb, Klaviyo, Supermetrics, Google Calendar, Gmail) that the user explicitly connects; the profile does not demand or auto-enable them.
No file_write, file_delete, shell, or high-risk tool categories are declared or embedded in the profile; authority is limited to reading and analyzing marketing data via connected services.
Details
Evidence
README.md: 'Connects to Canva, Figma, HubSpot, Amplitude, Ahrefs, SimilarWeb, Klaviyo, Supermetrics, Slack, and Notion' — all user-initiated integrations.
MCP servers defined in .mcp.json are http-based connections to known third-party services; no arbitrary binary execution or unrestricted filesystem access.
Skills reference ~~placeholders (e.g., ~~marketing automation, ~~email marketing) that resolve to user-connected services, not auto-executed tools.
MCP Risk
MCP-000Medium
All 13 MCP servers point to well-known, named vendor domains (slack.com, canva.com, figma.com, hubspot.com, amplitude.com, notion.com, ahrefs.com, klaviyo.com, supermetrics.com, similarweb.com, claude.com) with no unknown or arbitrary binaries.
No hidden instructions were found in tool descriptions; the MCP configuration is a straightforward URL list with no embedded directives.
The sheer number of external host connections (13 servers) represents an elevated attack surface — a compromise of any one vendor's MCP endpoint could affect the agent — warranting caution rather than a danger rating.