highlight-graph

SUSPICIOUS. The core behavior fits the stated purpose of visualizing Readwise highlights, and data flows are mostly proportional. The main issue is install/execution trust: the required `readwise` fallback CLI is not pinned or clearly tied to the official Readwise distribution, creating supply-chain ambiguity. Privacy exposure is moderate because user highlights are analyzed by subagents and rendered via an HTML page that may load a CDN script, but there is no clear credential harvesting or off-platform exfiltration.