Security risk report for @forgecat/anthropics_knowledge-work-plugins_operations v0.0.8
Source Integrity
Low
Profile sourced from Anthropic's official knowledge-work-plugins repository (https://github.com/anthropics/knowledge-work-plugins/tree/main/operations).
Licensed under Apache-2.0; version 0.0.8 with traceable commit hash (d2ba7f6).
Tested on legitimate platforms (Claude Code, Cursor, Codex) with no suspicious distribution chain.
Agent Intent
Low
Content describes legitimate business operations workflows (process documentation, capacity planning, compliance tracking, vendor review, change management) with no instructions to manipulate the AI, read credentials, exfiltrate data, or hide instructions.
Skill descriptions use standard operational frameworks (RACI matrices, risk registers, change management processes) — no guidance poisoning or malicious knowledge injection.
Connector placeholders (~~ITSM, ~~calendar, ~~knowledge base) are transparent tool-agnostic abstractions; no hidden instructions to install backdoored dependencies or weaken security defaults.
Details
Evidence
Skills focus on legitimate business processes: 'Document a business process', 'Analyze and improve business processes', 'Create a change management request', 'Track compliance requirements'.
No instructions to read ~/.ssh, ~/.aws, .env, or exfiltrate data.
No instructions to reveal system prompt, tool definitions, or conversation memory.
Connector documentation explicitly states 'Plugins are tool-agnostic' and lists well-known legitimate services (ServiceNow, Slack, Notion, Asana, Google Calendar, Microsoft 365).
Permissions
Low
No explicit tool declarations in the profile; authority is delegated to user-connected MCP servers (Slack, Google Calendar, Gmail, Notion, Atlassian, Asana, ServiceNow, Microsoft 365).
MCP servers are scoped to their respective services — Slack for chat, Gmail for email, Notion for knowledge base — matching the stated operational workflow purposes.
No high-risk categories (shell, file_write, file_delete) declared; no alwaysApply rules with broad globs.
Details
Evidence
Profile declares 8 HTTP-based MCP servers, each tied to a specific business tool (Slack, Google Calendar, Gmail, Notion, Atlassian, Asana, ServiceNow, Microsoft 365).
Skills reference connectors conditionally: 'If ~~project tracker is connected', 'If ~~ITSM is connected' — authority is opt-in, not forced.
No file system, shell, or network access declared outside the MCP servers.
MCP Risk
MCP-000Medium
All eight MCP servers use HTTPS endpoints at well-known, vendor-official domains (slack.com, claude.com subdomains, notion.com, atlassian.com, asana.com, servicenow.com, microsoft365), reducing supply-chain risk.
No hidden instructions were found in tool descriptions, and no arbitrary binary execution or unrestricted filesystem access is configured.
The sheer number of external SaaS connections (8 services) means a compromised or misconfigured MCP server could expose cross-platform business data; this warrants caution despite the reputable domains.
Details
Evidence
mcpServers: all entries use 'type: http' with TLS URLs at vendor-controlled domains — no localhost, arbitrary IPs, or unknown binaries.
No tool description fields with embedded instructions were present in the MCP config.
8 simultaneous external service connections: Slack + Gmail + Google Calendar + Notion + Atlassian + Asana + ServiceNow + Microsoft 365.