plannotator-compound
Pass
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands such as
ls,stat, andwcto gather metadata about plan files, calculate statistics, and detect previous report versions for incremental analysis. - [COMMAND_EXECUTION]: It invokes a bundled Python script (
extract_exit_plan_mode_outcomes.py) to normalize and extract human-authored feedback from Claude Code session transcripts. - [DATA_EXFILTRATION]: The skill accesses sensitive data including user interaction transcripts and planning history located in
~/.claude/projects/and~/.plannotator/plans/. This data is processed locally to generate analytical reports and is not transmitted outside the user's environment. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) as it processes untrusted plan content and logs.
- Ingestion points: Processes markdown files from Plannotator archives and JSONL transcripts from Claude Code logs.
- Boundary markers: Employs structural delimiters in extraction prompts but lacks specialized guardrails to prevent obedience to instructions embedded within user plans.
- Capability inventory: Executes system commands, runs local Python scripts, spawns sub-agents, and modifies the local
hooksdirectory. - Sanitization: No explicit sanitization or validation of the processed user feedback is performed before its inclusion in the generated reports or the improvement hook file.
Audit Metadata