plannotator-compound
Warn
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses highly sensitive user data directories for analysis. It reads session transcripts from
~/.claude/projects/which may contain credentials, proprietary code, and personal communications. - [COMMAND_EXECUTION]: The skill executes shell commands and a bundled Python script to process log data. It uses
lsandstatfor file discovery and runs a local scriptscripts/extract_exit_plan_mode_outcomes.pyto normalize JSONL transcripts. - [PROMPT_INJECTION]: The skill facilitates automated behavior modification based on untrusted session data.
- Ingestion points: Processes user data from
~/.plannotator/plans/and~/.claude/projects/. - Boundary markers: No delimiters or safety instructions are used when ingesting log data.
- Capability inventory: Generates prompt instructions and writes them to a persistent hook at
~/.plannotator/hooks/compound/enterplanmode-improve-hook.txt. - Sanitization: Lacks validation of feedback content before converting it into system-level prompt instructions.
Audit Metadata