plankton-code-quality
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The installation process requires cloning an external, untrusted repository (github.com/alexfazio/plankton.git) and integrating its shell scripts as automated hooks. These scripts are executed with the user's privileges and originate from a source outside the trusted list.
- [REMOTE_CODE_EXECUTION]: The skill implements a 'Phase 3: Delegate + Verify' mechanism that spawns
claude -psubprocesses. These subprocesses receive JSON-formatted linter violations and are instructed to automatically modify source code, which constitutes automated code execution and modification based on potentially untrusted input. - [COMMAND_EXECUTION]: The skill utilizes multiple shell hooks (
multi_linter.sh,protect_linter_configs.sh,stop_config_guardian.sh) that run automatically on every file edit or command attempt. These hooks perform a wide range of filesystem and system operations. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface (Category 8) because it processes untrusted source code and feeds linter output into a secondary LLM process.
- Ingestion points: Source code files modified by the user or agent, which are then read by various linters.
- Boundary markers: None are specified; the violations JSON is passed directly to the
claude -psubprocess. - Capability inventory: The subprocess has write access to the filesystem to perform code fixes.
- Sanitization: There is no evidence that linter error messages (which can include content from the source code itself) are sanitized before being processed by the secondary model.
Audit Metadata