Security risk report for @forgecat/engineering-agent-team v0.1.1
Source Integrity
Low
Profile is authored by ForgeCat (declared in README).
Source repository is public and traceable: https://github.com/nota-america/forgecat-agent-profiles.
Skills are vendored from a declared upstream source (@forgecat/anthropics_knowledge-work-plugins_engineering) with clear attribution.
No suspicious or obfuscated dependencies; all referenced skills are named explicitly in skill maps.
Agent Intent
Low
Content describes legitimate engineering workflows (ADR creation, code review, debugging, deployment) with no instructions to manipulate the AI or hide its instructions.
No directives to read credentials, exfiltrate data, or execute remote payloads.
Operating rules explicitly require owner approval before external actions (merge, deploy, page teams, post updates), constraining agent autonomy rather than expanding it.
Skill descriptions document standard engineering practices (testing, documentation, incident response) without poisoning guidance or weakening security defaults.
Details
Evidence
'Do not merge, deploy, roll back, page, post status, update tickets, or publish docs without explicit owner approval.' (eng-tech-lead.md)
'Do not deploy, roll back, flip flags, merge, or update production systems without explicit approval.' (eng-release-agent.md)
Skills teach standard practices: 'Security audit (OWASP top 10, injection, auth)' (code-review/SKILL.md), 'Blameless postmortem' (incident-response/SKILL.md)
Permissions
Low
MCP servers are scoped to their stated functions: Slack for chat, GitHub for source control, Linear/Asana/Atlassian for project tracking, Datadog for monitoring, PagerDuty for incident management.
No shell, file_write, file_delete, or arbitrary code execution tools declared.
Skills are read-only or advisory (review, design, debug) except where explicitly gated by approval rules.
Details
Evidence
MCP servers are HTTP endpoints to known SaaS platforms (Slack, GitHub, Linear, Datadog, PagerDuty).
'Do not page teams, post incident updates, change production, deploy, or roll back without explicit approval.' (eng-debug-incident-agent.md)
'Do not merge, approve, or update PRs without explicit approval.' (eng-code-quality-agent.md)
MCP Risk
Low
All MCP servers are HTTP endpoints to well-known, legitimate SaaS platforms (Slack, GitHub, Linear, Asana, Atlassian, Notion, Datadog, PagerDuty, Google Calendar, Gmail).
No arbitrary binary execution, shell commands, or unrestricted filesystem access.
Server URLs are standard public API endpoints with no hidden or obfuscated instructions in tool descriptions.
Credential management is delegated to the host environment (Cursor/Claude Code/Codex) and not embedded in the profile.
Details
Evidence
All mcpServers entries are HTTP URLs to known platforms: 'https://api.github.com/mcp', 'https://mcp.slack.com/mcp', 'https://mcp.pagerduty.com/mcp'.
No shell, exec, or binary_run tool categories declared.
Skill descriptions reference connectors generically ('If source control is connected...') without embedding credentials or malicious payloads.