Security risk report for @forgecat/anthropics_knowledge-work-plugins_product-management v0.0.7
Source Integrity
Low
Profile is authored by Anthropic and sourced from the official knowledge-work-plugins repository (https://github.com/anthropics/knowledge-work-plugins), a trusted first-party source.
MCP servers reference legitimate, well-known SaaS platforms (Slack, Linear, Asana, Figma, Amplitude, etc.) with standard public endpoints.
No typosquatted, attacker-controlled, or suspicious package/service references detected.
Agent Intent
Low
Content describes legitimate product management workflows (spec writing, roadmap planning, research synthesis, metrics review) without instructing the AI to ignore instructions, exfiltrate data, or manipulate its own behavior.
Markdown documents educational frameworks (RICE scoring, HMW questions, JTBD, opportunity solution trees) and skill guidance — these are descriptive best practices, not injected malicious instructions.
No directives to read credentials, fetch external payloads, hide instructions, leak system prompts, or weaken security defaults; no guidance poisoning that would steer future outputs toward attacker goals.
Details
Evidence
CONNECTORS.md: 'Plugins are tool-agnostic — they describe workflows in terms of categories rather than specific products.'
brainstorm.md: 'Be a sparring partner, not a scribe. React to ideas. Push back. Build on them.' — standard PM coaching, not manipulation.
competitive-brief/SKILL.md: 'Be honest and evidence-based — do not dismiss competitors or inflate their weaknesses.' — ethical guidance, not poisoning.
No instructions to execute remote code, modify system behavior, or bypass safety guardrails.
Permissions
Low
Profile declares no direct tool permissions or hooks; all authority is delegated to MCP servers (Slack, Linear, Asana, etc.) that the user explicitly connects.
Skills describe read-only or standard operations: pulling metrics from analytics, searching knowledge bases, reviewing project tracker status, fetching meeting transcriptions — all aligned with stated product management functions.
No shell, file_write, file_delete, or high-risk categories requested; no alwaysApply rules with broad globs; no excessive authority beyond the stated purpose of PM support.
Details
Evidence
README.md: 'Connects to Linear, Asana, Monday, ClickUp, Atlassian, Figma, Amplitude, Pendo, Intercom, Fireflies, SimilarWeb, Slack, Notion, and more.' — user-initiated integrations, not forced permissions.
metrics-review/SKILL.md: 'If ~~product analytics is connected: Pull key product metrics for the relevant time period' — read-only data retrieval, not mutation.
roadmap-update/SKILL.md: 'If project management tool is connected, offer to update ticket statuses' — standard PM workflow, not excessive agency.
MCP Risk
MCP-000Medium
All 16 MCP servers use HTTP transport pointing to official vendor-owned domains, with no unknown binaries or arbitrary code execution involved.
No hidden instructions were found in tool descriptions; the MCP configuration is straightforward URL-based connectivity.
The large number of external service connections (16 servers) increases the attack surface for server-side prompt injection from any one of those services, warranting caution even though no individual server is inherently dangerous.
Details
Evidence
All URLs match expected vendor domains: mcp.slack.com, mcp.linear.app, mcp.figma.com, mcp.amplitude.com, etc.
No tool-level description fields with embedded instructions detected in the MCP server definitions