Security risk report for @forgecat/anthropics_knowledge-work-plugins_productivity v0.0.9
Source Integrity
Low
Profile is attributed to Anthropic with clear provenance (GitHub repository, Apache-2.0 license, original commit hash).
Legitimate productivity plugin from a known, trusted source.
Agent Intent
Low
Content describes legitimate task and memory management workflows without manipulative instructions.
No prompt injection, role hijacking, system prompt leakage, or guidance poisoning detected.
Memory system is designed to help Claude understand workplace context—a collaborative feature, not a hidden instruction vector.
Details
Evidence
Memory-management skill documents a tiered lookup system for decoding workplace shorthand (CLAUDE.md → glossary.md → ask user).
Start skill instructs the agent to bootstrap memory by analyzing the user's own task list and asking clarifying questions—transparent, user-driven.
Update skill describes syncing tasks and filling memory gaps—standard productivity operations with no hidden directives.
Permissions
Low
MCP servers are scoped to legitimate productivity tools (Slack, Notion, Asana, Linear, etc.) matching the stated function.
File operations are limited to local TASKS.md, CLAUDE.md, and memory/ directory—no shell, file_delete, or unrestricted filesystem access.
No excessive agency; all operations are task/memory management within the user's own workspace.
Details
Evidence
MCP servers are HTTP endpoints to well-known SaaS platforms (Slack, Asana, Microsoft 365, Gmail, etc.).
Skills reference only local file reads/writes (TASKS.md, CLAUDE.md, memory/) and MCP tool calls for syncing external tasks.
No shell execution, file mutation outside the working directory, or arbitrary binary invocation.
MCP Risk
MCP-000Medium
All ten MCP servers use well-known, vendor-operated endpoints (mcp.slack.com, mcp.notion.com, mcp.atlassian.com, gmail.mcp.claude.com, etc.) with no unknown or arbitrary binaries.
No hidden instructions are embedded in tool descriptions; the MCP configuration is straightforward URL-only entries with no suspicious parameters.
The sheer number of external service connections (10 servers) and the sensitivity of the data they expose (email, chat, calendar) elevates this to caution — a compromised or misconfigured MCP server in this set could expose significant workplace data.
Details
Evidence
mcp.json: 10 HTTP MCP servers declared across productivity, communication, and project-management categories
All URLs match official vendor MCP endpoints (e.g. 'https://mcp.slack.com/mcp', 'https://gmail.mcp.claude.com/mcp') — no unknown third-party hosts
No tool-description fields present in the MCP config that could carry hidden instructions