plannotator-compound
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: Executes a bundled Python script ('scripts/extract_exit_plan_mode_outcomes.py') to normalize and parse Claude Code session logs. The script uses standard libraries and performs local data transformations without network access.
- [DATA_EXFILTRATION]: Accesses user planning artifacts in '
/.plannotator/' and session logs in '/.claude/projects/'. This access is limited to reading the user's planning history for analysis purposes. No evidence of data exfiltration or credential harvesting was found. - [EXTERNAL_DOWNLOADS]: The report template references font assets from Google's public content delivery network. These are well-known resources and do not pose a security risk.
- [PROMPT_INJECTION]: The skill processes untrusted user log data, which constitutes a potential surface for indirect prompt injection. The risk is mitigated by the skill's design, which uses structured extraction templates, specific delimiters ('---'), and task-specific scoping for extraction and reduction agents. Ingestion points: User-provided planning files and session logs. Boundary markers: The skill uses structural separators and formatted JSON records to delimit untrusted data. Capability inventory: File system access, local script execution, and agent tool invocation. Sanitization: The parsing script performs cleaning of transcript noise and filters for specific human-authored denial reasons.
Audit Metadata